Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
node-connects before 2.8.2 has cross site scripting in Sencha Labs Connect middleware (vulnerability due to incomplete fix for CVE-2013-7370)
Advisories for Npm/Connect package
2022
2020
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
node-connect before 2.8.1 has XSS in the Sencha Labs Connect middleware
2018
Cross-site Scripting
connect node module suffers from a Cross-Site Scripting (XSS) vulnerability due to a lack of validation of file in directory.js middleware.
2013
Cross-Site Scripting with connect.methodOverride()
The middleware overwrites req.method with the req.body['_method'] value. When you don't catch the error it responds with a default error msg: "Cannot [METHOD] [URL]" . Because this is not enough sanitized, you can force a Cross-Site Scripting in the response.