Host has whitelisted a third party host for cross origin requests.
Severity: Medium
If the third party host has an XSS vulnerability it can be used to exploit your CORS configuration.
https://trusted-origin.example.com/?xss=<script>CORS-ATTACK-PAYLOAD</script>