Home > Vulnerability Database > CVE-2015-9236

Mend.io Vulnerability Database

CVE-2015-9236

Good to know:

Date: May 31, 2018

Hapi versions less than 11.0.0 implement CORS incorrectly and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. If the connection has CORS enabled but one route has it off, and the route is not GET, the OPTIONS prefetch request will return the default CORS headers and then the actual request will go through and return no CORS headers. This defeats the purpose of turning CORS on the route.

Language: JS

Severity Score

5.3

Related Resources (7)

Url: https://nvd.nist.gov/vuln/detail/CVE-2015-9236

Url: https://github.com/hapijs/hapi/issues/2840

Url: https://github.com/advisories/GHSA-vwrf-r5r4-7775

Url: https://github.com/hapijs/hapi/issues/2850

Url: https://nodesecurity.io/advisories/45

Url: https://www.npmjs.com/advisories/45

Url: https://www.mend.io/vulnerability-database/CVE-2015-9236

Severity Score

5.3

Weakness Type (CWE)

Improper Access Control

CWE-284

Information Leak / Disclosure

CWE-200

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2015-9236

Good to know:

Date: May 31, 2018

Language: JS

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?