It allows servers to explicitly specify the list of origins that are allowed to access its resources via the Access-Control-Allow-Origin header. Access-Control-Allow-Origin should be configured to only allow cross origin communication from trusted sites. Misconfigured CORS policy allows attackers to steal data or perform actions on behalf of users.

Insecure direct object references

Direct object references occur when an application directly exposes objects, such as files and database records, without any authentication or authorization checks. This can lead to information leakage if not properly secured by proper ACLs (access control lists) and/or encryption mechanisms like SSL/TLS
https://t.co/AWZdiW6uzp