github.com/play-with-docker/play-with-docker is vulnerable to Information Disclosure. Due to incorrect CORS configuration, an attacker could use play-with-docker.com
as an example and set the Origin header to evil-play-with-docker.com
in http requests. The domain echoes the response headers, successfully bypassing the CORS policy and retrieving basic user information.