logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2016-10549 sails

Package

Manager: npm
Name: sails
Vulnerable Version: >=0 <0.12.7

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00254 pctl0.48586

Details

Sails before 0.12.7 vulnerable to Broken CORS Affected versions of `sails` have an issue with the CORS configuration where the value of the origin header is reflected as the value for the `Access-Control-Allow-Origin` header. This may allow an attacker to make AJAX requests to vulnerable hosts through cross-site scripting or a malicious HTML Document, effectively bypassing the Same Origin Policy. ## Mitigating Factors This is only an issue when `allRoutes` is set to `true` and `origin` is set to `*` or left commented out in the sails CORS config file. The problem can be compounded when the cors `credentials` setting is not provided, because at that point authenticated cross domain requests are possible. ## Recommendation Update to version 0.12.7 or later. As this vulnerability is primarily a user error, the patch for the vulnerability will simply cause the application to write an error message to the console when a vulnerable configuration is used in a production environment. Writing a proper CORS configuration is still the responsibility of the user, so it is necessary to check for the error message after installing the patch. Be sure you are not using `allRoutes: true` with `origin:'*'`, and that you uncomment `origin` and set it to a reasonable value. Ensure that if `origin` is set to `*` that you truly mean for all other websites to be able to make cross-domain requests to your API. Likewise, ensure `credentials` is uncommented out and set to the appropriate value. Make sure to explicitly set which origins may request resources via CORS.

Metadata

Created: 2019-02-18T23:40:10Z
Modified: 2022-08-03T21:27:52Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-qmv4-jgp7-mf68/GHSA-qmv4-jgp7-mf68.json
CWE IDs: ["CWE-284"]
Alternative ID: GHSA-qmv4-jgp7-mf68
Finding: F039
Auto approve: 1