漏洞标题
N/A
漏洞描述信息
Sails 是一个用于构建实时Web应用程序的MVC风格框架。版本0.12.7及其更早版本在 CORS 配置中存在问题,其中源头值被反映为 Access-Control-Allow-Origin 头值。这将允许攻击者通过跨站点脚本或恶意HTML文档向脆弱主机发送 AJAX 请求,有效地绕过 Same Origin Policy。请注意,只有在 `allRoutes` 设置为 `true` 并将 `origin` 设置为 `*` 或 commented out 的 Sails CORS 配置文件中才存在此问题。当提供 CORS `credentials` 设置时,问题可能会变得更加复杂。此时,具有授权的跨域请求是可能的。
CVSS信息
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
漏洞类别
N/A
漏洞标题
N/A
漏洞描述信息
Sails is an MVC style framework for building realtime web applications. Version 0.12.7 and lower have an issue with the CORS configuration where the value of the origin header is reflected as the value for the Access-Control-Allow-Origin header. This would allow an attacker to make AJAX requests to vulnerable hosts through cross site scripting or a malicious HTML Document, effectively bypassing the Same Origin Policy. Note that this is only an issue when `allRoutes` is set to `true` and `origin` is set to `*` or left commented out in the sails CORS config file. The problem can be compounded when the cors `credentials` setting is not provided. At that point authenticated cross domain requests are possible.
CVSS信息
N/A
漏洞类别
访问控制不恰当
漏洞标题
Sails 安全漏洞
漏洞描述信息
Sails是一款用于构建实时Web应用程序的MVC样式的框架。 Sails 0.12.7及之前版本中存在安全漏洞。攻击者可利用该漏洞向易受攻击的主机发送AJAX请求,绕过同源策略。
CVSS信息
N/A
漏洞类别
跨站脚本