oss-sec mailing list archives
CVE request - node-connect: methodOverride middleware reflected cross-site scripting
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 15 Apr 2014 08:36:59 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744374 Package: node-connect Severity: serious Tags: security fixed-upstream The Node Security Project discovered an XSS vulnerability in the node connect module, please fix this bug by upgrading node-connect. Vulnerable: <=2.8.0 Patched: >=2.8.1 Report: https://nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scripting Upstream bug report: https://github.com/senchalabs/connect/issues/831 First fix: https://github.com/senchalabs/connect/commit/277e5aad6a95d00f55571a9a0e11f2fa190d8135 Second fix: https://github.com/senchalabs/connect/commit/126187c4e12162e231b87350740045e5bb06e93a Not sure if it needs one or two CVE's (did they do a release in between the fixes? - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTTUQLAAoJEBYNRVNeJnmTwBwP/2qZhjIslHZSwN4tiNHR+SHM 8GU+fWdDO0+4d6/AZoNpZkFva+E51SnfZJFOiE6f7DZ/aUNxm74H0osvJrl1FeLy ZsknGBMCS4bYE25xj8rftPy6hq47uzxaKKHdXzeI4Sh0Jgqt3DPDpjYBG4Tfos9P exk8fUmN93Mx/WzyUAyOQ9ujYVU0rIf9xATAX4PymIGJXoZzin46/6IML+2M9IQ6 iL8yhI8QOw/OiI+KRKAMZ8imsdpzxpa24RtihcrX6bi3IBM8fdYcHK3R+z3U6RhH 2nYjMhEVmGkEQ/q1ucei01Q1EMJHWlcbLJRzJTR5GbhX3gFEkQJP3k4EDRxEqVJq ptrxl+0AFdLFlhA8pHcMIZJn5Xx3MFOA7bLnq4nWwEzCCohXpsMUign0/wN8XDI2 3fFLP9BzfRmOqR+UAWHa5Fz31vviZxXFdcz7PUsPwpXltLQSJtxgrBECztckmJ2j QKMOrv2Rfpg9I4TB0dH/eIWaY+BA+t/FhmJWiYhf+cJMZX1tiYESJboHARbOdcdO AGAAQGpbuGrnjE2qXTSD/TZFwCPmndyiSiklnOw+qi6jn5ZA41jROV0PoQ5iAX/s PkNbbRohxK5FMNYxpdMRAYRSylqsBjQl9NyYxk+G8GaO5EiiBQHKxX+QU+J1cowH z/dPU58DCebeL6EO8IPZ =BDer -----END PGP SIGNATURE-----
Current thread:
- CVE request - node-connect: methodOverride middleware reflected cross-site scripting Kurt Seifried (Apr 15)