CVE-2016-10549

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2016-10549
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-10549.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2016-10549
Aliases
Published
2018-05-31T20:29:01.830Z
Modified
2026-04-10T03:48:15.346118Z
Severity
  • 4.4 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Sails is an MVC style framework for building realtime web applications. Version 0.12.7 and lower have an issue with the CORS configuration where the value of the origin header is reflected as the value for the Access-Control-Allow-Origin header. This would allow an attacker to make AJAX requests to vulnerable hosts through cross site scripting or a malicious HTML Document, effectively bypassing the Same Origin Policy. Note that this is only an issue when allRoutes is set to true and origin is set to * or left commented out in the sails CORS config file. The problem can be compounded when the cors credentials setting is not provided. At that point authenticated cross domain requests are possible.

References

Affected packages

Git / github.com/balderdashy/sails

Affected ranges

Type
GIT
Repo
https://github.com/balderdashy/sails
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
ab9c2c3431a5298e8fd140e5c1e2ed2c7260526c
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.12.7"
        }
    ]
}

Affected versions

0.*
0.11.0-rc10
0.11.0-rc6
0.11.0-rc7
0.11.0-rc8
0.11.0-rc9
0.9preview
12.*
12.11.07.24
12.11.0721
12.11.0722
12.11.0723
12.11.0724
12.11.08
12.11.0812
12.11.0813
12.11.0818
12.11.0819
12.11.1400
12.11.1411
12.11.1413
12.11.1414
12.11.1600
12.11.1700
12.11.1716
12.11.1799
12.11.1799gls
12.11.1800
12.11.1900
12.11.1901
12.11.2000
12.11.2001
12.11.2400
12.11.2418
12.11.2419
12.11.2423
12.11.2424
12.11.2600
12.11.2601
12.11.2604
12.11.2605
12.11.2606
12.11.26120
12.11.2618
12.11.2619
12.11.2620
12.11.2900
12.12.0300
12.7.26
Other
enlyton-release
wl-rc13
v0.*
v0.10.0-rc1
v0.10.0-rc10
v0.10.0-rc11
v0.10.0-rc2
v0.10.0-rc3
v0.10.0-rc4
v0.10.0-rc5
v0.10.0-rc6
v0.10.0-rc8
v0.10.1
v0.10.2
v0.10.4
v0.10.5
v0.11.0
v0.11.0-rc5
v0.12.0-rc1
v0.12.0-rc2
v0.12.0-rc3
v0.12.0-rc5
v0.12.0-rc6
v0.12.0-rc7
v0.12.07-rc7
v0.12.2
v0.12.2-0
v0.12.3
v0.12.4
v0.12.4-rc1
v0.12.4-rc2
v0.12.4-rc3
v0.12.5
v0.12.6
v0.12.7
v0.2.1
v0.3.0
v0.7.0-1
v0.7.0-2
v0.7.0-3
v0.7.0-4
v0.7.0-5
v0.7.0-6
v0.7.0-8
v0.7.1-0
v0.7.2
v0.7.4-1
v0.7.5-0
v0.7.6-0
v0.7.7-0
v0.7.8
v0.7.9
v0.8.0
v0.8.1
v0.8.3
v0.8.4
v0.8.5
v0.8.6
v0.8.7
v0.8.73
v0.8.74
v0.8.75
v0.8.76
v0.8.77
v0.8.78
v0.8.79
v0.8.80
v0.8.81
v0.8.82
v0.8.83
v0.8.84
v0.8.85
v0.8.86
v0.8.87
v0.8.88
v0.8.89
v0.8.89-1
v0.8.892
v0.8.894
v0.8.895
v0.8.93
v0.9.0
v0.9.1
v0.9.2
v0.9.3

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-10549.json"