CVE-2016-10549
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2016-10549
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Description
Sails is an MVC style framework for building realtime web applications. Version 0.12.7 and lower have an issue with the CORS configuration where the value of the origin header is reflected as the value for the Access-Control-Allow-Origin header. This would allow an attacker to make AJAX requests to vulnerable hosts through cross site scripting or a malicious HTML Document, effectively bypassing the Same Origin Policy. Note that this is only an issue when `allRoutes` is set to `true` and `origin` is set to `*` or left commented out in the sails CORS config file. The problem can be compounded when the cors `credentials` setting is not provided. At that point authenticated cross domain requests are possible.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
访问控制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Sails 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Sails是一款用于构建实时Web应用程序的MVC样式的框架。 Sails 0.12.7及之前版本中存在安全漏洞。攻击者可利用该漏洞向易受攻击的主机发送AJAX请求,绕过同源策略。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| HackerOne | sails node module | <=0.12.7 | - |
II. Public POCs for CVE-2016-10549
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2016-10549
请登录查看更多情报信息。
Other References for CVE-2016-10549 (2)
- http://sailsjs.org/documentation/concepts/security/corsx_refsource_MISC
- https://nodesecurity.io/advisories/148x_refsource_MISC
Same Patch Batch · HackerOne · 2018-05-31 · 50 CVEs total
| CVE-2016-10550 | sequalize SQL注入漏洞 | |
| CVE-2016-10560 | galenframework-cli 安全漏洞 | |
| CVE-2016-10564 | apk-parser 安全漏洞 | |
| CVE-2016-10565 | operadriver 安全漏洞 | |
| CVE-2016-10569 | embedza 安全漏洞 | |
| CVE-2016-10571 | bkjs-wand 安全漏洞 | |
| CVE-2016-10572 | mongodb-instance 安全漏洞 | |
| CVE-2016-10563 | go-ipfs-deps模块安全漏洞 | |
| CVE-2016-10553 | sequalize SQL注入漏洞 | |
| CVE-2016-10552 | igniteui 安全漏洞 | |
| CVE-2016-10554 | sequelize 安全漏洞 | |
| CVE-2016-10548 | reduce-css-calc node模块安全漏洞 | |
| CVE-2016-10547 | Nunjucks 安全漏洞 | |
| CVE-2016-10546 | PouchDB 安全漏洞 | |
| CVE-2016-10544 | uws 安全漏洞 | |
| CVE-2016-10543 | call 安全漏洞 | |
| CVE-2016-10542 | ws 安全漏洞 | |
| CVE-2016-10541 | Thshell-quote 安全漏洞 | |
| CVE-2016-10540 | Minimatch 安全漏洞 | |
| CVE-2016-10539 | negotiator 安全漏洞 |
Showing top 20 of 50 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same weakness: CWE-284
- CVE-2026-47261
Wasmtime: WASI path_open(TRUNCATE) bypasses `FilePerms::WRIT - CVE-2026-5230
Improper Access Control in Mia Technologies' Pizzy Library - CVE-2026-12212
hcengineering Huly Platform RPC operations.ts getMailboxSecr - CVE-2026-53520
Nezha Monitoring: Authenticated users can claim the dashboar - CVE-2026-44783
Discourse: Replying to a whisper lets non-whisperers create
V. Comments for CVE-2016-10549
No comments yet