The application implements an overly permissive Cross-Origin Resource Sharing policy, reflecting arbitrary origins or allowing credentials with wildcard origins.
An attacker could read sensitive data from the application via a malicious website, steal user credentials, or perform unauthorized actions by exploiting the permissive CORS policy.
Implement a strict allowlist of trusted origins. Never reflect the Origin header without validation. Avoid using wildcard origins with credentials. Validate the Access-Control-Allow-Origin header value server-side.