How severe is CVE-2016-10549?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 4.4 out of 10.

What type of vulnerability is CVE-2016-10549?

This is classified as CWE-284, which is a common weakness in software security.

CVE-2016-10549 - MEDIUM Severity | CVSS 4.4

Vulnerability Description

Sails is an MVC style framework for building realtime web applications. Version 0.12.7 and lower have an issue with the CORS configuration where the value of the origin header is reflected as the value for the Access-Control-Allow-Origin header. This would allow an attacker to make AJAX requests to vulnerable hosts through cross site scripting or a malicious HTML Document, effectively bypassing the Same Origin Policy. Note that this is only an issue when `allRoutes` is set to `true` and `origin` is set to `*` or left commented out in the sails CORS config file. The problem can be compounded when the cors `credentials` setting is not provided. At that point authenticated cross domain requests are possible.

Related Vulnerabilities

CVE-2015-2008

MEDIUM

CVSS:4.4(Medium)

IBM Security QRadar SIEM 7.1.x before 7.1 MR2 Patch 12 and 7.2.x before 7.2.6 includes SSH private keys during backup operations, which allows remote authenticated administrators to obtain sensitive i...

CWE-2842015

CVE-2016-8222

MEDIUM

CVSS:4.4(Medium)

A vulnerability has been identified in a signed kernel driver for the BIOS of some ThinkPad systems that can allow an attacker with Windows administrator-level privileges to call System Management Mod...

CWE-2842016

CVE-2017-18457

MEDIUM

CVSS:4.4(Medium)

cPanel before 62.0.17 allows arbitrary file-read operations via WHM /styled/ URLs (SEC-218).

CWE-2842017

CVE-2019-15967

MEDIUM

CVSS:4.4(Medium)

A vulnerability in the CLI of Cisco TelePresence Collaboration Endpoint (CE) and Cisco RoomOS Software could allow an authenticated, local attacker to enable audio recording without notifying users. T...

CWE-2842019

CVE-2020-7253

MEDIUM

CVSS:4.4(Medium)

Improper access control vulnerability in masvc.exe in McAfee Agent (MA) prior to 5.6.4 allows local users with administrator privileges to disable self-protection via a McAfee supplied command-line ut...

CWE-2842020

CVE-2021-1583

MEDIUM

CVSS:4.4(Medium)

A vulnerability in the fabric infrastructure file system access control of Cisco Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode could allow an authenticated, local ...

CWE-2842021