{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/30484?format=json","vulnerability_id":"VCID-nbgt-whdd-xyf9","summary":"methodOverride Middleware Reflected Cross-Site Scripting\nConnect is a stack of middleware that is executed in order in each request.\n\nThe \"methodOverride\" middleware allows the http post to override the method of the request with the value of the \"_method\" post key or with the header \"x-http-method-override\".\n\nBecause the user post input was not checked, req.method could contain any kind of value. Because the req.method did not match any common method VERB, connect answered with a 404 page containing the \"Cannot [method] [url]\" content. The method was not properly encoded for output in the browser.\n\n\n###Example:\n```\n~ curl \"localhost:3000\" -d \"_method=<script src=http://nodesecurity.io/xss.js></script>\"\nCannot <SCRIPT SRC=HTTP://NODESECURITY.IO/XSS.JS></SCRIPT> /\n```\n\n###Credit:\n[Sergio Arcos](https://twitter.com/martes_trece)\n\n###History\n(2013-06-27) Bug reported:\nhttps://github.com/senchalabs/connect/issues/831\n\n(2013-06-27) First fix: escape req.method output\nhttps://github.com/senchalabs/connect/commit/277e5aad6a95d00f55571a9a0e11f2fa190d8135\n\n(2013-06-27) Second fix: whitelist\nhttps://github.com/senchalabs/connect/commit/126187c4e12162e231b87350740045e5bb06e93a","aliases":[{"alias":"CVE-2013-7370"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/6514?format=json","purl":"pkg:npm/connect@2.8.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/connect@2.8.1"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/6513?format=json","purl":"pkg:npm/connect@2.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-81fd-hg84-jkcm"},{"vulnerability":"VCID-ff4q-8qw9-dfc1"},{"vulnerability":"VCID-nbgt-whdd-xyf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/connect@2.8.0"}],"references":[{"reference_url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/3.json","reference_id":"3","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":""}],"url":"https://github.com/nodejs/security-wg/blob/main/vuln/npm/3.json"}],"weaknesses":[],"exploits":[],"severity_range_score":"6.5 - 6.5","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nbgt-whdd-xyf9"}