CVEs-PoC/2020/CVE-2020-28481.md

### [CVE-2020-28481](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28481)
![](https://img.shields.io/static/v1?label=Product&message=socket.io&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3C%202.4.0%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=Insecure%20Defaults&color=brighgreen)

### Description

The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.

### POC

#### Reference
- https://github.com/socketio/socket.io/issues/3671
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1056358
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056357
- https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859

#### Github
- https://github.com/HotDB-Community/HotDB-Engine