CVE-2013-7371

Name of the Vulnerable Software and Affected Versions node-connect versions prior to 2.8.2

Description The issue is related to cross-site scripting in Sencha Labs Connect middleware due to an incomplete fix. Connect is a stack of middleware executed in order for each request. The methodOverride middleware allows HTTP POST to override the request method with the value of the method post key or the x-http-method-override header. Since user post input was not checked, req.method could contain any value, leading to a 404 page with unencoded method output in the browser, allowing for potential cross-site scripting attacks.

Recommendations Update to the newest version of Connect. Disable methodOverride middleware to mitigate the risk.