CVE-2013-7370

Name of the Vulnerable Software and Affected Versions node-connect versions prior to 2.8.1

Description The issue arises from the "methodOverride" middleware in Connect, which allows HTTP POST requests to override the method of the request using the method post key or the x-http-method-override header. Since user post input is not properly checked, req.method can contain any value. When this value does not match common method verbs, Connect responds with a 404 page containing the "Cannot [method] [url]" content, where the method is not properly encoded for browser output. This can lead to XSS attacks, as demonstrated by an example where a malicious script is injected through the method parameter.

Recommendations Update to the newest version of Connect. Disable the methodOverride middleware to prevent exploitation.