CVE-2014-7193

Name of the Vulnerable Software and Affected Versions Crumb plugin versions prior to 3.0.0

Description The issue allows remote attackers to obtain sensitive information and potentially spoof requests to non-CORS routes by exploiting improper token access restriction in situations where a hapi route handler has CORS enabled. This can be achieved via a crafted web site visited by an application consumer, enabling an attacker to set a crumb token for a different domain and make requests to non-CORS routes as that user. The scenario in which this occurs is considered unlikely, as most configurations set CORS globally or not at all.

Recommendations Update to version 3.0.0 or greater.