GMS-2013-13: Cross-Site Scripting with connect.methodOverride()

June 27, 2013

The middleware overwrites req.method with the req.body[’_method’] value. When you don’t catch the error it responds with a default error msg: “Cannot [METHOD] [URL]” . Because this is not enough sanitized, you can force a Cross-Site Scripting in the response.

References

github.com/senchalabs/connect/issues/831

Code Behaviors & Features

Detect and mitigate GMS-2013-13 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →