CVE-2013-7370
Cross-site scripting (XSS) vulnerability in connect (npm)
What is CVE-2013-7370 About?
The `methodOverride` middleware in Connect is vulnerable to cross-site scripting (XSS) due to improper encoding of user-supplied input in error messages. Attackers can inject arbitrary script via the `_method` POST key, leading to client-side code execution. Exploitation is straightforward, requiring a crafted POST request.
Affected Software
Technical Details
The methodOverride middleware in Connect allows HTTP POST requests to override the standard HTTP method (e.g., GET, POST) using the _method POST key or x-http-method-override header. The vulnerability arises because user-supplied input for the _method parameter is not properly validated or encoded before being included in the 404 error message 'Cannot [method] [url]'. An attacker can embed a malicious script tag, such as <script src=http://nodesecurity.io/xss.js></script>, within the _method parameter. When a request with this crafted _method value results in a 404, the server will reflect the unencoded script in the HTML response, leading to client-side arbitrary code execution in the victim's browser if they access the error page.
What is the Impact of CVE-2013-7370?
Successful exploitation may allow attackers to execute arbitrary scripts in the context of the victim's browser, leading to session hijacking, defacement, or redirection to malicious sites.
What is the Exploitability of CVE-2013-7370?
Exploitation of this XSS vulnerability is of low complexity. It does not require authentication or elevated privileges, as it preys on how the methodOverride middleware processes input. The attack is remote, relying on an attacker sending a crafted POST request to a vulnerable Connect application. A primary risk factor is the application's use of the methodOverride middleware and its exposure to user-controlled input. There are no special requirements beyond the presence of the vulnerable middleware.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2013-7370?
Available Upgrade Options
- connect
- <2.8.1 → Upgrade to 2.8.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.openwall.com/lists/oss-security/2014/04/21/2
- http://www.openwall.com/lists/oss-security/2014/05/13/1
- https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-7370
- https://github.com/senchalabs/connect/commit/126187c4e12162e231b87350740045e5bb06e93a
- https://security-tracker.debian.org/tracker/CVE-2013-7370
- https://access.redhat.com/security/cve/cve-2013-7370
- https://osv.dev/vulnerability/GHSA-3fw8-66wf-pr7m
- http://www.openwall.com/lists/oss-security/2014/04/21/2
- https://nvd.nist.gov/vuln/detail/CVE-2013-7370
- https://github.com/senchalabs/connect/issues/831
What are Similar Vulnerabilities to CVE-2013-7370?
Similar Vulnerabilities: CVE-2017-1000060 , CVE-2019-11358 , CVE-2019-15024 , CVE-2014-8777 , CVE-2015-2831
