Broken CORS

Affecting sails package, versions <0.12.7

Do your applications use this vulnerable package? Test your applications

Overview

sails is API-driven framework for building realtime apps, using MVC conventions (based on Express and Socket.io).

Sails version 0.12.6 and lower allowed the default CORS settings to be very permissive, letting the attacker to bypass the Same Origin Policy.

Remediation

Upgrade sails to version 0.12.7 or higher.

References

CVSS Score

8.2
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Credit
Evan Johnson
CVE
CVE-2016-10549
CWE
CWE-284
Snyk ID
npm:sails:20161013
Disclosed
13 Oct, 2016
Published
20 Oct, 2016