Vulnerabilites related to openjsf - express
cve-2024-10491
Vulnerability from cvelistv5
Published
2024-10-29 16:23
Modified
2024-10-29 19:44
Severity ?
EPSS score ?
Summary
A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used.
The issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `<>` to preload malicious resources.
This vulnerability is especially relevant for dynamic parameters.
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:expressjs:express:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "express",
"vendor": "expressjs",
"versions": [
{
"lessThanOrEqual": "3.21.2",
"status": "affected",
"version": "3.0.0-alpha1",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10491",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-29T19:42:55.922371Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T19:44:30.890Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.npmjs.com/package/express",
"defaultStatus": "unaffected",
"packageName": "express",
"product": "express",
"repo": "https://github.com/expressjs/express",
"vendor": "express",
"versions": [
{
"lessThanOrEqual": "3.21.2",
"status": "affected",
"version": "3.0.0-alpha1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "abze"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA vulnerability has been identified in the Express \u003cem\u003eresponse.links\u003c/em\u003e\u0026nbsp;function, allowing for arbitrary resource injection in the \u003cem\u003eLink\u003c/em\u003e\u0026nbsp;header when unsanitized data is used.\u003c/p\u003e\u003cp\u003eThe issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `\u0026lt;\u0026gt;` to preload malicious resources.\u003c/p\u003e\u003cp\u003eThis vulnerability is especially relevant for dynamic parameters.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A vulnerability has been identified in the Express response.links\u00a0function, allowing for arbitrary resource injection in the Link\u00a0header when unsanitized data is used.\n\nThe issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `\u003c\u003e` to preload malicious resources.\n\nThis vulnerability is especially relevant for dynamic parameters."
}
],
"impacts": [
{
"capecId": "CAPEC-240",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-240 Resource Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T16:26:16.251Z",
"orgId": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"shortName": "HeroDevs"
},
"references": [
{
"url": "https://www.herodevs.com/vulnerability-directory/cve-2024-10491"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Preload arbitrary resources by injecting additional `Link` headers",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"assignerShortName": "HeroDevs",
"cveId": "CVE-2024-10491",
"datePublished": "2024-10-29T16:23:21.219Z",
"dateReserved": "2024-10-29T11:53:00.416Z",
"dateUpdated": "2024-10-29T19:44:30.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-6393
Vulnerability from cvelistv5
Published
2017-08-09 18:00
Modified
2024-08-06 12:17
Severity ?
EPSS score ?
Summary
The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding.
References
| ▼ | URL | Tags |
|---|---|---|
| https://nodesecurity.io/advisories/express-no-charset-in-content-type-header | x_refsource_CONFIRM | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1203190 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T12:17:23.956Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nodesecurity.io/advisories/express-no-charset-in-content-type-header"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203190"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-09-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-09T17:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nodesecurity.io/advisories/express-no-charset-in-content-type-header"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203190"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-6393",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodesecurity.io/advisories/express-no-charset-in-content-type-header",
"refsource": "CONFIRM",
"url": "https://nodesecurity.io/advisories/express-no-charset-in-content-type-header"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1203190",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203190"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-6393",
"datePublished": "2017-08-09T18:00:00",
"dateReserved": "2014-09-15T00:00:00",
"dateUpdated": "2024-08-06T12:17:23.956Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-43796
Vulnerability from cvelistv5
Published
2024-09-10 14:36
Modified
2024-09-10 15:58
Severity ?
EPSS score ?
Summary
Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx | x_refsource_CONFIRM | |
| https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43796",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T15:58:36.256748Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T15:58:45.956Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "express",
"vendor": "expressjs",
"versions": [
{
"status": "affected",
"version": "\u003c 4.20.0"
},
{
"status": "affected",
"version": "\u003e= 5.0.0-alpha.1, \u003c 5.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Express.js minimalist web framework for node. In express \u003c 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T14:36:27.380Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx"
},
{
"name": "https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553"
}
],
"source": {
"advisory": "GHSA-qw6h-vgh9-j6wx",
"discovery": "UNKNOWN"
},
"title": "express vulnerable to XSS via response.redirect()"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-43796",
"datePublished": "2024-09-10T14:36:27.380Z",
"dateReserved": "2024-08-16T14:20:37.325Z",
"dateUpdated": "2024-09-10T15:58:45.956Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-24999
Vulnerability from cvelistv5
Published
2022-11-26 00:00
Modified
2024-08-03 04:29
Severity ?
EPSS score ?
Summary
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:29:01.569Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/expressjs/express/releases/tag/4.17.3"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/ljharb/qs/pull/428"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/n8tz/CVE-2022-24999"
},
{
"name": "[debian-lts-announce] 20230130 [SECURITY] [DLA 3299-1] node-qs security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230908-0005/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b\u0026a[__proto__]\u0026a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-08T16:06:42.462757",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/expressjs/express/releases/tag/4.17.3"
},
{
"url": "https://github.com/ljharb/qs/pull/428"
},
{
"url": "https://github.com/n8tz/CVE-2022-24999"
},
{
"name": "[debian-lts-announce] 20230130 [SECURITY] [DLA 3299-1] node-qs security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230908-0005/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-24999",
"datePublished": "2022-11-26T00:00:00",
"dateReserved": "2022-02-14T00:00:00",
"dateUpdated": "2024-08-03T04:29:01.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2024-09-10 15:15
Modified
2024-09-20 16:07
Severity ?
5.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
4.7 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
4.7 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openjsf:express:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "490126A5-34FA-4D46-946F-8612A3E66AB1",
"versionEndExcluding": "4.20.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openjsf:express:5.0.0:alpha1:*:*:*:node.js:*:*",
"matchCriteriaId": "50C7D4CD-B4D9-433E-B3FC-AB309FA31CCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openjsf:express:5.0.0:alpha2:*:*:*:node.js:*:*",
"matchCriteriaId": "7DFB65DE-73BB-4BB5-84BA-67B187DD2DA9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openjsf:express:5.0.0:alpha3:*:*:*:node.js:*:*",
"matchCriteriaId": "B709D2E7-2D50-4A90-B000-0DEB55B80682",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openjsf:express:5.0.0:alpha4:*:*:*:node.js:*:*",
"matchCriteriaId": "E388EA8E-03EF-41C9-98C6-68D96DAF92A8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openjsf:express:5.0.0:alpha5:*:*:*:node.js:*:*",
"matchCriteriaId": "A7D7FA44-E213-4931-A92B-2C46CA1F6EC5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openjsf:express:5.0.0:alpha6:*:*:*:node.js:*:*",
"matchCriteriaId": "EBFE2596-A7DE-455C-A59A-1B56ACA82D4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openjsf:express:5.0.0:alpha7:*:*:*:node.js:*:*",
"matchCriteriaId": "F68E52F1-1A06-45D4-8593-3D5D7EC32330",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openjsf:express:5.0.0:alpha8:*:*:*:node.js:*:*",
"matchCriteriaId": "0F5FEAD7-A1EB-4FB1-8B15-A717642961F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openjsf:express:5.0.0:beta1:*:*:*:node.js:*:*",
"matchCriteriaId": "2CC3B849-8DAF-47E5-A4EB-E93394C7396A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openjsf:express:5.0.0:beta2:*:*:*:node.js:*:*",
"matchCriteriaId": "6058D4DD-DE9D-4AD9-87A0-22F81C33F81E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openjsf:express:5.0.0:beta3:*:*:*:node.js:*:*",
"matchCriteriaId": "9852C6CE-F282-4B7D-9690-57E57FAC8B37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Express.js minimalist web framework for node. In express \u003c 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0."
},
{
"lang": "es",
"value": "Express.js, el framework web minimalista para Node. En Express anterior a la versi\u00f3n 4.20.0, pasar una entrada de usuario no confiable (incluso despu\u00e9s de desinfectarla) a response.redirect() puede ejecutar c\u00f3digo no confiable. Este problema se solucion\u00f3 en Express 4.20.0."
}
],
"id": "CVE-2024-43796",
"lastModified": "2024-09-20T16:07:47.997",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-09-10T15:15:17.510",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-10-29 17:15
Modified
2024-11-06 23:08
Severity ?
4.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used.
The issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `<>` to preload malicious resources.
This vulnerability is especially relevant for dynamic parameters.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| 36c7be3b-2937-45df-85ea-ca7133ea542c | https://www.herodevs.com/vulnerability-directory/cve-2024-10491 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openjsf:express:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "E54423CE-0344-49DB-9BAF-7DA1041AC966",
"versionEndIncluding": "3.21.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in the Express response.links\u00a0function, allowing for arbitrary resource injection in the Link\u00a0header when unsanitized data is used.\n\nThe issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `\u003c\u003e` to preload malicious resources.\n\nThis vulnerability is especially relevant for dynamic parameters."
},
{
"lang": "es",
"value": " Se ha identificado una vulnerabilidad en la funci\u00f3n response.links de Express, que permite la inyecci\u00f3n arbitraria de recursos en el encabezado Link cuando se utilizan datos no desinfectados. El problema surge de una desinfecci\u00f3n incorrecta en los valores del encabezado `Link`, que puede permitir una combinaci\u00f3n de caracteres como `,`, `;` y `\u0026lt;\u0026gt;` para precargar recursos maliciosos. Esta vulnerabilidad es especialmente relevante para los par\u00e1metros din\u00e1micos."
}
],
"id": "CVE-2024-10491",
"lastModified": "2024-11-06T23:08:49.780",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 1.4,
"source": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-10-29T17:15:03.853",
"references": [
{
"source": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2024-10491"
}
],
"sourceIdentifier": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-26 22:15
Modified
2024-11-21 06:51
Severity ?
Summary
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/expressjs/express/releases/tag/4.17.3 | Release Notes | |
| cve@mitre.org | https://github.com/ljharb/qs/pull/428 | Issue Tracking, Patch | |
| cve@mitre.org | https://github.com/n8tz/CVE-2022-24999 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://security.netapp.com/advisory/ntap-20230908-0005/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/expressjs/express/releases/tag/4.17.3 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/ljharb/qs/pull/428 | Issue Tracking, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/n8tz/CVE-2022-24999 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20230908-0005/ |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| qs_project | qs | * | |
| qs_project | qs | * | |
| qs_project | qs | * | |
| qs_project | qs | * | |
| qs_project | qs | * | |
| qs_project | qs | * | |
| qs_project | qs | * | |
| qs_project | qs | 6.4.0 | |
| qs_project | qs | 6.6.0 | |
| openjsf | express | * | |
| debian | debian_linux | 10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qs_project:qs:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "F7960844-79EB-454C-BD4C-C79387E2E573",
"versionEndExcluding": "6.2.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "B836471B-BF39-4B52-B837-70B494D2C45F",
"versionEndExcluding": "6.3.3",
"versionStartIncluding": "6.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "DF319EA6-E68F-41A8-BB21-FE30F6BD1A9C",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "E43C2419-E3F8-4123-8FA8-A0C1B4244D77",
"versionEndExcluding": "6.7.3",
"versionStartIncluding": "6.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "BB20DBEF-67E2-49FB-BB55-C86F7A83028F",
"versionEndExcluding": "6.8.3",
"versionStartIncluding": "6.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "49C25B47-56FD-43BF-9DA4-A6100DD291EE",
"versionEndExcluding": "6.9.7",
"versionStartIncluding": "6.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "750DDAB9-4454-4087-8DA1-D05280F59081",
"versionEndExcluding": "6.10.3",
"versionStartIncluding": "6.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:6.4.0:*:*:*:*:node.js:*:*",
"matchCriteriaId": "535F43BA-C0A4-441A-A13C-A221ED855613",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qs_project:qs:6.6.0:*:*:*:*:node.js:*:*",
"matchCriteriaId": "870A2680-00C2-43D2-9C4B-D8F52DB16AA1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openjsf:express:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "31382A93-AA97-4D14-ACF6-129F1BDDFD6D",
"versionEndExcluding": "4.17.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b\u0026a[__proto__]\u0026a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable)."
},
{
"lang": "es",
"value": "qs anterior a 6.10.3, como se usa en Express anterior a 4.17.3 y otros productos, permite a los atacantes provocar que un proceso de Nodo se cuelgue para una aplicaci\u00f3n Express porque se puede usar una clave __ proto__. En muchos casos de uso t\u00edpicos de Express, un atacante remoto no autenticado puede colocar el payload del ataque en la cadena de consulta de la URL que se utiliza para visitar la aplicaci\u00f3n, como a[__proto__]=b\u0026amp;a[__proto__]\u0026amp;a[length] =100000000. La soluci\u00f3n se respald\u00f3 a qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3 y 6.2.4 (y por lo tanto a Express 4.17.3, que tiene \"deps : qs@6.9.7\" en la descripci\u00f3n de su versi\u00f3n, no es vulnerable)."
}
],
"id": "CVE-2022-24999",
"lastModified": "2024-11-21T06:51:31.643",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-26T22:15:10.153",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/expressjs/express/releases/tag/4.17.3"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/ljharb/qs/pull/428"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/n8tz/CVE-2022-24999"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html"
},
{
"source": "cve@mitre.org",
"url": "https://security.netapp.com/advisory/ntap-20230908-0005/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/expressjs/express/releases/tag/4.17.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/ljharb/qs/pull/428"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/n8tz/CVE-2022-24999"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20230908-0005/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1321"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-08-09 18:29
Modified
2024-11-21 02:14
Severity ?
Summary
The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://bugzilla.redhat.com/show_bug.cgi?id=1203190 | Issue Tracking, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://nodesecurity.io/advisories/express-no-charset-in-content-type-header | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=1203190 | Issue Tracking, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://nodesecurity.io/advisories/express-no-charset-in-content-type-header | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| openjsf | express | * | |
| openjsf | express | 4.0.0 | |
| openjsf | express | 4.1.0 | |
| openjsf | express | 4.1.1 | |
| openjsf | express | 4.1.2 | |
| openjsf | express | 4.2.0 | |
| openjsf | express | 4.3.0 | |
| openjsf | express | 4.3.1 | |
| openjsf | express | 4.3.2 | |
| openjsf | express | 4.4.0 | |
| openjsf | express | 4.4.1 | |
| openjsf | express | 4.4.2 | |
| openjsf | express | 4.4.3 | |
| openjsf | express | 4.4.4 | |
| openjsf | express | 4.4.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openjsf:express:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F3044B30-C7BD-4472-B79F-1B1CF6678B83",
"versionEndIncluding": "3.10.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openjsf:express:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7048C98D-3862-4067-BBD9-FED2488EAAA9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openjsf:express:4.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "41978223-8371-41B6-A5AA-C270357ECE88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openjsf:express:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1DC94FA3-2F6E-4C11-AFF9-EBE99661E3CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openjsf:express:4.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E3EE054C-7B48-46FC-B048-458A138718A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openjsf:express:4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5CAF101E-20FC-40EC-9566-6274E24D668D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openjsf:express:4.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1E93C3DE-988C-47D9-84BB-0579D83A05C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openjsf:express:4.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E80EDF16-E5CF-4B61-B041-54D2D33B2A13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openjsf:express:4.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "89706C45-EE55-4778-AE2A-53DCFFEC45D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openjsf:express:4.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C29C2745-5E28-42EE-AA8D-5EAB394AC813",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openjsf:express:4.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "13FFEADC-67C9-4270-B832-696BF41ADE2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openjsf:express:4.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7F8DC1AA-D87C-4DC6-9735-56A78719E96A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openjsf:express:4.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "2B020CA0-739E-4404-A1D1-59B826F3DC3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openjsf:express:4.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "080B58C4-1910-43C5-AAF6-2134416E9685",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openjsf:express:4.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F71DFB79-FD8C-4470-8B3B-8FA1E4FE2F41",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding."
},
{
"lang": "es",
"value": "El framework web Express en versiones anteriores a la 3.11 y en versiones 4.x anteriores a la 4.5 para Node.js no proporciona un campo charset en los encabezados HTTP Content-Type en respuestas de nivel 400. Esto permitir\u00eda que atacantes remotos llevasen a cabo ataques de tipo cross-site scripting (XSS) mediante caracteres en una codificaci\u00f3n no est\u00e1ndar."
}
],
"id": "CVE-2014-6393",
"lastModified": "2024-11-21T02:14:18.290",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-09T18:29:00.480",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203190"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://nodesecurity.io/advisories/express-no-charset-in-content-type-header"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203190"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://nodesecurity.io/advisories/express-no-charset-in-content-type-header"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}