Our security team identified that the web server accepts arbitrary
origin request header. The application implements cross-origin resource
sharing (CORS) policy for this request that allows access from any
domain. We tried request with different orig...