Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/connect@2.8.1
Typenpm
Namespace
Nameconnect
Version2.8.1
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_version2.8.2
Latest_non_vulnerable_version2.14.0
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-81fd-hg84-jkcm
vulnerability_id VCID-81fd-hg84-jkcm
summary 
Cross-Site Scripting with connect.methodOverride()
The middleware overwrites req.method with the req.body['_method'] value. When you don't catch the error it responds with a default error msg: "Cannot [METHOD] [URL]" . Because this is not enough sanitized, you can force a Cross-Site Scripting in the response.
references
0
reference_url https://github.com/senchalabs/connect/issues/831
reference_id
reference_type
scores
url https://github.com/senchalabs/connect/issues/831
fixed_packages
0
url pkg:npm/connect@2.8.1
purl pkg:npm/connect@2.8.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/connect@2.8.1
aliases GMS-2013-13
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-81fd-hg84-jkcm
1
url VCID-ff4q-8qw9-dfc1
vulnerability_id VCID-ff4q-8qw9-dfc1
summary 
methodOverride Middleware Reflected Cross-Site Scripting
Connect is a stack of middleware that is executed in order in each request.

The "methodOverride" middleware allows the http post to override the method of the request with the value of the "_method" post key or with the header "x-http-method-override".

Because the user post input was not checked, req.method could contain any kind of value. Because the req.method did not match any common method VERB, connect answered with a 404 page containing the "Cannot [method] [url]" content. The method was not properly encoded for output in the browser.


###Example:
```
~ curl "localhost:3000" -d "_method=<script src=http://nodesecurity.io/xss.js></script>"
Cannot <SCRIPT SRC=HTTP://NODESECURITY.IO/XSS.JS></SCRIPT> /
```

###Credit:
[Sergio Arcos](https://twitter.com/martes_trece)

###History
(2013-06-27) Bug reported:
https://github.com/senchalabs/connect/issues/831

(2013-06-27) First fix: escape req.method output
https://github.com/senchalabs/connect/commit/277e5aad6a95d00f55571a9a0e11f2fa190d8135

(2013-06-27) Second fix: whitelist
https://github.com/senchalabs/connect/commit/126187c4e12162e231b87350740045e5bb06e93a
references
0
reference_url https://exchange.xforce.ibmcloud.com/vulnerabilities/92710
reference_id
reference_type
scores
url https://exchange.xforce.ibmcloud.com/vulnerabilities/92710
1
reference_url https://github.com/senchalabs/connect/commit/126187c4e12162e231b87350740045e5bb06e93a
reference_id
reference_type
scores
url https://github.com/senchalabs/connect/commit/126187c4e12162e231b87350740045e5bb06e93a
2
reference_url https://github.com/senchalabs/connect/commit/277e5aad6a95d00f55571a9a0e11f2fa190d8135
reference_id
reference_type
scores
url https://github.com/senchalabs/connect/commit/277e5aad6a95d00f55571a9a0e11f2fa190d8135
3
reference_url https://github.com/senchalabs/connect/issues/831
reference_id
reference_type
scores
url https://github.com/senchalabs/connect/issues/831
4
reference_url https://nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scripting
reference_id
reference_type
scores
url https://nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scripting
5
reference_url http://www.openwall.com/lists/oss-security/2014/04/21/2
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2014/04/21/2
6
reference_url http://www.openwall.com/lists/oss-security/2014/05/13/1
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2014/05/13/1
7
reference_url https://github.com/nodejs/security-wg/blob/main/vuln/npm/3.json
reference_id 3
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements
url https://github.com/nodejs/security-wg/blob/main/vuln/npm/3.json
8
reference_url https://access.redhat.com/security/cve/cve-2013-7371
reference_id CVE-2013-7371
reference_type
scores
url https://access.redhat.com/security/cve/cve-2013-7371
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2013-7371
reference_id CVE-2013-7371
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2013-7371
10
reference_url https://security-tracker.debian.org/tracker/CVE-2013-7371
reference_id CVE-2013-7371
reference_type
scores
url https://security-tracker.debian.org/tracker/CVE-2013-7371
11
reference_url https://github.com/advisories/GHSA-6w62-83g6-rfhj
reference_id GHSA-6w62-83g6-rfhj
reference_type
scores
url https://github.com/advisories/GHSA-6w62-83g6-rfhj
fixed_packages
0
url pkg:npm/connect@2.8.1
purl pkg:npm/connect@2.8.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/connect@2.8.1
1
url pkg:npm/connect@2.8.2
purl pkg:npm/connect@2.8.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/connect@2.8.2
aliases CVE-2013-7371, GHSA-6w62-83g6-rfhj
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ff4q-8qw9-dfc1
2
url VCID-nbgt-whdd-xyf9
vulnerability_id VCID-nbgt-whdd-xyf9
summary 
methodOverride Middleware Reflected Cross-Site Scripting
Connect is a stack of middleware that is executed in order in each request.

The "methodOverride" middleware allows the http post to override the method of the request with the value of the "_method" post key or with the header "x-http-method-override".

Because the user post input was not checked, req.method could contain any kind of value. Because the req.method did not match any common method VERB, connect answered with a 404 page containing the "Cannot [method] [url]" content. The method was not properly encoded for output in the browser.


###Example:
```
~ curl "localhost:3000" -d "_method=<script src=http://nodesecurity.io/xss.js></script>"
Cannot <SCRIPT SRC=HTTP://NODESECURITY.IO/XSS.JS></SCRIPT> /
```

###Credit:
[Sergio Arcos](https://twitter.com/martes_trece)

###History
(2013-06-27) Bug reported:
https://github.com/senchalabs/connect/issues/831

(2013-06-27) First fix: escape req.method output
https://github.com/senchalabs/connect/commit/277e5aad6a95d00f55571a9a0e11f2fa190d8135

(2013-06-27) Second fix: whitelist
https://github.com/senchalabs/connect/commit/126187c4e12162e231b87350740045e5bb06e93a
references
0
reference_url https://github.com/nodejs/security-wg/blob/main/vuln/npm/3.json
reference_id 3
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements
url https://github.com/nodejs/security-wg/blob/main/vuln/npm/3.json
fixed_packages
0
url pkg:npm/connect@2.8.1
purl pkg:npm/connect@2.8.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/connect@2.8.1
aliases CVE-2013-7370
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nbgt-whdd-xyf9
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/connect@2.8.1