The web application is vulnerable to CORS misconfiguration, which allows arbitrary third-party domains to make read requests on unauthenticated APIs. This misconfiguration is due to the Access-Control-Allow-Origin: * header that permits all origins. While web browsers restrict access to authenticated responses, this could allow attackers to access sensitive data in scenarios where other forms of security, such as IP address whitelisting, are used.
The web application is vulnerable to CORS misconfiguration, which allows arbitrary third-party domains to make read requests on unauthenticated APIs. This misconfiguration is due to the Access-Control-Allow-Origin: * header that permits all origins. While web browsers restrict access to authenticated responses, this could allow attackers to access sensitive data in scenarios where other forms of security, such as IP address whitelisting, are used.