SCA: security update for sails (GHSA-qmv4-jgp7-mf68)

medium Tenable Cloud Security Plugin ID 423089

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Sails is an MVC style framework for building realtime web applications. Version 0.12.7 and lower have an
issue with the CORS configuration where the value of the origin header is reflected as the value for the
Access-Control-Allow-Origin header. This would allow an attacker to make AJAX requests to vulnerable hosts
through cross site scripting or a malicious HTML Document, effectively bypassing the Same Origin Policy.
Note that this is only an issue when `allRoutes` is set to `true` and `origin` is set to `*` or left
commented out in the sails CORS config file. The problem can be compounded when the cors `credentials`
setting is not provided. At that point authenticated cross domain requests are possible. (CVE-2016-10549)

See Also

https://github.com/advisories/GHSA-qmv4-jgp7-mf68

Plugin Details

Severity: Medium

ID: 423089

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 3/29/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 8.67

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Low

Base Score: 2.1

Temporal Score: 1.6

Vector: CVSS2#AV:N/AC:H/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2016-10549

CVSS v3

Risk Factor: Medium

Base Score: 4.4

Temporal Score: 3.9

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/18/2019

Vulnerability Publication Date: 10/5/2016

Reference Information

CVE: CVE-2016-10549

cwe: CWE-284