Broken CORS
Affecting sails package, versions <=0.12.7
Do your applications use this vulnerable package?
Test your applications
Overview
sails
is API-driven framework for building realtime apps, using MVC conventions (based on Express and Socket.io).
Sails version 0.12.6
and lower allowed the default CORS settings to be very permissive, letting the attacker to bypass the Same Origin Policy.
Remediation
Upgrade sails
to version 0.12.7 or higher.
References
CVSS Score
8.2
high severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityHigh
-
IntegrityLow
-
AvailabilityNone
- Credit
- Evan Johnson
- CVE
- CVE-2016-10549
- CWE
- CWE-284
- Snyk ID
- npm:sails:20161013
- Disclosed
- 13 Oct, 2016
- Published
- 20 Oct, 2016