Vulnerabilites related to uri.js_project - uri.js
Vulnerability from fkie_nvd
Published
2022-03-06 16:15
Modified
2024-11-21 06:39
Severity ?
Summary
Open Redirect in GitHub repository medialize/uri.js prior to 1.19.10.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/medialize/uri.js/commit/a8166fe02f3af6dc1b2b888dcbb807155aad9509 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/5f4db013-64bd-4a6b-9dad-870c296b0b02 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/medialize/uri.js/commit/a8166fe02f3af6dc1b2b888dcbb807155aad9509 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/5f4db013-64bd-4a6b-9dad-870c296b0b02 | Exploit, Issue Tracking, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| uri.js_project | uri.js | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:uri.js_project:uri.js:*:*:*:*:*:*:*:*",
"matchCriteriaId": "198C1C52-82A9-491E-AAF3-A79D56BAF0B9",
"versionEndExcluding": "1.19.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Open Redirect in GitHub repository medialize/uri.js prior to 1.19.10."
},
{
"lang": "es",
"value": "Un Redireccionamiento Abierto en el repositorio GitHub medialize/uri.js versiones anteriores a 1.19.10"
}
],
"id": "CVE-2022-0868",
"lastModified": "2024-11-21T06:39:33.917",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.3,
"impactScore": 6.0,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-06T16:15:07.607",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/medialize/uri.js/commit/a8166fe02f3af6dc1b2b888dcbb807155aad9509"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/5f4db013-64bd-4a6b-9dad-870c296b0b02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/medialize/uri.js/commit/a8166fe02f3af6dc1b2b888dcbb807155aad9509"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/5f4db013-64bd-4a6b-9dad-870c296b0b02"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "security@huntr.dev",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-02-16 09:15
Modified
2024-11-21 06:39
Severity ?
Summary
Authorization Bypass Through User-Controlled Key in NPM urijs prior to 1.19.8.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| uri.js_project | uri.js | * | |
| fedoraproject | fedora | 35 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:uri.js_project:uri.js:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EE752522-AE57-43CC-A8F4-CBBBDC2423E9",
"versionEndExcluding": "1.19.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
"matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Authorization Bypass Through User-Controlled Key in NPM urijs prior to 1.19.8."
},
{
"lang": "es",
"value": "Una Omisi\u00f3n de Autorizaci\u00f3n mediante una clave controlada por el usuario en NPM urijs versiones anteriores a 1.19.8"
}
],
"id": "CVE-2022-0613",
"lastModified": "2024-11-21T06:39:01.617",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-02-16T09:15:07.043",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/medialize/uri.js/commit/6ea641cc8648b025ed5f30b090c2abd4d1a5249f"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/f53d5c42-c108-40b8-917d-9dad51535083"
},
{
"source": "security@huntr.dev",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MXSSATHALUSXXD2KT6UFZAX7EG4GR332/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/medialize/uri.js/commit/6ea641cc8648b025ed5f30b090c2abd4d1a5249f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/f53d5c42-c108-40b8-917d-9dad51535083"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MXSSATHALUSXXD2KT6UFZAX7EG4GR332/"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "security@huntr.dev",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-04 20:15
Modified
2024-11-21 06:40
Severity ?
Summary
URL Confusion When Scheme Not Supplied in GitHub repository medialize/uri.js prior to 1.19.11.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/medialize/uri.js/commit/88805fd3da03bd7a5e60947adb49d182011f1277 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/228d5548-1109-49f8-8aee-91038e88371c | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/medialize/uri.js/commit/88805fd3da03bd7a5e60947adb49d182011f1277 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/228d5548-1109-49f8-8aee-91038e88371c | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| uri.js_project | uri.js | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:uri.js_project:uri.js:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BCFE940B-2DE3-4D02-A96B-BF51B4B18ECD",
"versionEndExcluding": "1.19.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "URL Confusion When Scheme Not Supplied in GitHub repository medialize/uri.js prior to 1.19.11."
},
{
"lang": "es",
"value": "Una Confusi\u00f3n de URL cuando no es proporcionado el esquema en el repositorio de GitHub medialize/uri.js versiones anteriores a 1.19.11"
}
],
"id": "CVE-2022-1233",
"lastModified": "2024-11-21T06:40:18.637",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-04T20:15:10.457",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/medialize/uri.js/commit/88805fd3da03bd7a5e60947adb49d182011f1277"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/228d5548-1109-49f8-8aee-91038e88371c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/medialize/uri.js/commit/88805fd3da03bd7a5e60947adb49d182011f1277"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/228d5548-1109-49f8-8aee-91038e88371c"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-115"
}
],
"source": "security@huntr.dev",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-16 11:15
Modified
2024-11-21 06:22
Severity ?
Summary
URI.js is vulnerable to URL Redirection to Untrusted Site
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/medialize/URI.js/commit/ac43ca8f80c042f0256fb551ea5203863dec4481 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/1625558772840-medialize/URI.js | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/medialize/URI.js/commit/ac43ca8f80c042f0256fb551ea5203863dec4481 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/1625558772840-medialize/URI.js | Exploit, Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| uri.js_project | uri.js | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:uri.js_project:uri.js:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2272C0EE-A631-4A6A-871E-0216DEEDAEE0",
"versionEndExcluding": "1.19.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "URI.js is vulnerable to URL Redirection to Untrusted Site"
},
{
"lang": "es",
"value": "URI.js es vulnerable a la redirecci\u00f3n de URL a un sitio no confiable"
}
],
"id": "CVE-2021-3647",
"lastModified": "2024-11-21T06:22:04.223",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-16T11:15:11.383",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/medialize/URI.js/commit/ac43ca8f80c042f0256fb551ea5203863dec4481"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/1625558772840-medialize/URI.js"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/medialize/URI.js/commit/ac43ca8f80c042f0256fb551ea5203863dec4481"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/1625558772840-medialize/URI.js"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "security@huntr.dev",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-31 00:15
Modified
2024-11-21 05:19
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
URI.js is a javascript URL mutation library (npm package urijs). In URI.js before version 1.19.4, the hostname can be spoofed by using a backslash (`\`) character followed by an at (`@`) character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. For example the URL `https://expected-example.com\@observed-example.com` will incorrectly return `observed-example.com` if using an affected version. Patched versions correctly return `expected-example.com`. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class. Version 1.19.4 is patched against all known payload variants. Version 1.19.3 has a partial patch but is still vulnerable to a payload variant.]
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/medialize/URI.js/commit/b02bf037c99ac9316b77ff8bfd840e90becf1155 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/medialize/URI.js/releases/tag/v1.19.4 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/medialize/URI.js/security/advisories/GHSA-3329-pjwv-fjpg | Third Party Advisory | |
| security-advisories@github.com | https://www.npmjs.com/package/urijs | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/medialize/URI.js/commit/b02bf037c99ac9316b77ff8bfd840e90becf1155 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/medialize/URI.js/releases/tag/v1.19.4 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/medialize/URI.js/security/advisories/GHSA-3329-pjwv-fjpg | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.npmjs.com/package/urijs | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| uri.js_project | uri.js | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:uri.js_project:uri.js:*:*:*:*:*:*:*:*",
"matchCriteriaId": "87FD3B7F-F679-49B9-9876-B50CA1A634CD",
"versionEndExcluding": "1.19.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "URI.js is a javascript URL mutation library (npm package urijs). In URI.js before version 1.19.4, the hostname can be spoofed by using a backslash (`\\`) character followed by an at (`@`) character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. For example the URL `https://expected-example.com\\@observed-example.com` will incorrectly return `observed-example.com` if using an affected version. Patched versions correctly return `expected-example.com`. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node\u0027s built-in URL class. Version 1.19.4 is patched against all known payload variants. Version 1.19.3 has a partial patch but is still vulnerable to a payload variant.]"
},
{
"lang": "es",
"value": "URI.js es una biblioteca de mutaci\u00f3n de URL de JavaScript (paquete npm urijs).\u0026#xa0;En URI.js versiones anteriores a 1.19.4, el nombre de host puede ser falsificado usando un car\u00e1cter barra invertida (\"\\\") seguido de un car\u00e1cter arroba (\"@\").\u0026#xa0;Si el nombre de host es usado en decisiones de seguridad, la decisi\u00f3n puede ser incorrecta.\u0026#xa0;Dependiendo del uso de la biblioteca y la intenci\u00f3n del atacante, los impactos pueden incluir omisiones de lista de permisos y bloqueos, ataques SSRF, redireccionamientos abiertos u otros comportamientos no deseados.\u0026#xa0;Por ejemplo, la URL \"https://expected-example.com\\@observed-example.com\" devolver\u00e1 incorrectamente \"observed-example.com\" si se usa una versi\u00f3n afectada.\u0026#xa0;Las versiones parcheadas devuelven correctamente \"expected-example.com\".\u0026#xa0;Las versiones parcheadas coinciden con el comportamiento de otros analizadores que implementan la especificaci\u00f3n de URL WHATWG, incluyendo los navegadores web y la clase URL incorporada de Node.\u0026#xa0;La versi\u00f3n 1.19.4 est\u00e1 parcheada contra todas las variantes de carga \u00fatil conocidas. La versi\u00f3n 1.19.3 presenta una ruta parcial pero sigue siendo vulnerable a una variante de carga \u00fatil."
}
],
"id": "CVE-2020-26291",
"lastModified": "2024-11-21T05:19:46.683",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-31T00:15:12.327",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/medialize/URI.js/commit/b02bf037c99ac9316b77ff8bfd840e90becf1155"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/medialize/URI.js/releases/tag/v1.19.4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/medialize/URI.js/security/advisories/GHSA-3329-pjwv-fjpg"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.npmjs.com/package/urijs"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/medialize/URI.js/commit/b02bf037c99ac9316b77ff8bfd840e90becf1155"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/medialize/URI.js/releases/tag/v1.19.4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/medialize/URI.js/security/advisories/GHSA-3329-pjwv-fjpg"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.npmjs.com/package/urijs"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-03-03 21:15
Modified
2024-11-21 06:50
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
URI.js is a Javascript URL mutation library. Before version 1.19.9, whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly. This issue has been patched in version 1.19.9. Removing leading whitespace from values before passing them to URI.parse can be used as a workaround.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| uri.js_project | uri.js | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:uri.js_project:uri.js:*:*:*:*:*:*:*:*",
"matchCriteriaId": "251A4CCE-55A2-4822-AC5A-03F406193362",
"versionEndExcluding": "1.19.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "URI.js is a Javascript URL mutation library. Before version 1.19.9, whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly. This issue has been patched in version 1.19.9. Removing leading whitespace from values before passing them to URI.parse can be used as a workaround."
},
{
"lang": "es",
"value": "URI.js es una biblioteca de mutaci\u00f3n de URLs en Javascript. En versiones anteriores a 1.19.9, los caracteres de espacio en blanco no eran eliminadas del principio del protocolo, por lo que las URL no eran analizadas correctamente. Este problema ha sido corregido en versi\u00f3n 1.19.9. Puede usarse como medida de mitigaci\u00f3n eliminar los espacios en blanco al principio de los valores antes de pasarlos a URI.parse"
}
],
"id": "CVE-2022-24723",
"lastModified": "2024-11-21T06:50:57.263",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-03T21:15:07.813",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/medialize/URI.js/releases/tag/v1.19.9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/medialize/URI.js/security/advisories/GHSA-gmv4-r438-p67f"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/medialize/uri.js/commit/86d10523a6f6e8dc4300d99d671335ee362ad316"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/82ef23b8-7025-49c9-b5fc-1bb9885788e5/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/medialize/URI.js/releases/tag/v1.19.9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/medialize/URI.js/security/advisories/GHSA-gmv4-r438-p67f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/medialize/uri.js/commit/86d10523a6f6e8dc4300d99d671335ee362ad316"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/82ef23b8-7025-49c9-b5fc-1bb9885788e5/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-05 15:15
Modified
2024-11-21 06:40
Severity ?
Summary
CRHTLF can lead to invalid protocol extraction potentially leading to XSS in GitHub repository medialize/uri.js prior to 1.19.11.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/medialize/uri.js/commit/b0c9796aa1a95a85f40924fb18b1e5da3dc8ffae | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/8c5afc47-1553-4eba-a98e-024e4cc3dfb7 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/medialize/uri.js/commit/b0c9796aa1a95a85f40924fb18b1e5da3dc8ffae | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/8c5afc47-1553-4eba-a98e-024e4cc3dfb7 | Exploit, Issue Tracking, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| uri.js_project | uri.js | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:uri.js_project:uri.js:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BCFE940B-2DE3-4D02-A96B-BF51B4B18ECD",
"versionEndExcluding": "1.19.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "CRHTLF can lead to invalid protocol extraction potentially leading to XSS in GitHub repository medialize/uri.js prior to 1.19.11."
},
{
"lang": "es",
"value": "CRHTLF puede conllevar a una extracci\u00f3n de protocolo no v\u00e1lida conllevando potencialmente a un ataque de tipo XSS en el repositorio de GitHub medialize/uri.js versiones anteriores a 1.19.11"
}
],
"id": "CVE-2022-1243",
"lastModified": "2024-11-21T06:40:19.820",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.7,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-05T15:15:08.097",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/medialize/uri.js/commit/b0c9796aa1a95a85f40924fb18b1e5da3dc8ffae"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/8c5afc47-1553-4eba-a98e-024e4cc3dfb7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/medialize/uri.js/commit/b0c9796aa1a95a85f40924fb18b1e5da3dc8ffae"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/8c5afc47-1553-4eba-a98e-024e4cc3dfb7"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security@huntr.dev",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-02-22 00:15
Modified
2024-11-21 05:58
Severity ?
Summary
URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash such as http:\/ and interprets the URI as a relative path.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://advisory.checkmarx.net/advisory/CX-2021-4305 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://github.com/medialize/URI.js/commit/a1ad8bcbc39a4d136d7e252e76e957f3ece70839 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/medialize/URI.js/releases/tag/v1.19.6 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://advisory.checkmarx.net/advisory/CX-2021-4305 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/medialize/URI.js/commit/a1ad8bcbc39a4d136d7e252e76e957f3ece70839 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/medialize/URI.js/releases/tag/v1.19.6 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| uri.js_project | uri.js | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:uri.js_project:uri.js:*:*:*:*:*:*:*:*",
"matchCriteriaId": "36DFF109-A827-4D9A-9790-55C2564E83EB",
"versionEndExcluding": "1.19.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash such as http:\\/ and interprets the URI as a relative path."
},
{
"lang": "es",
"value": "URI.js (tambi\u00e9n se conoce como urijs) versiones anteriores a 1.19.6, maneja inapropiadamente determinados usos de barra invertida como http:\\/ e interpreta el URI como una ruta relativa"
}
],
"id": "CVE-2021-27516",
"lastModified": "2024-11-21T05:58:08.520",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-22T00:15:12.620",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://advisory.checkmarx.net/advisory/CX-2021-4305"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/medialize/URI.js/commit/a1ad8bcbc39a4d136d7e252e76e957f3ece70839"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/medialize/URI.js/releases/tag/v1.19.6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://advisory.checkmarx.net/advisory/CX-2021-4305"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/medialize/URI.js/commit/a1ad8bcbc39a4d136d7e252e76e957f3ece70839"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/medialize/URI.js/releases/tag/v1.19.6"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2021-3647
Vulnerability from cvelistv5
Published
2021-07-16 10:11
Modified
2024-08-03 17:01
Severity ?
EPSS score ?
Summary
URI.js is vulnerable to URL Redirection to Untrusted Site
References
| ▼ | URL | Tags |
|---|---|---|
| https://huntr.dev/bounties/1625558772840-medialize/URI.js | x_refsource_CONFIRM | |
| https://github.com/medialize/URI.js/commit/ac43ca8f80c042f0256fb551ea5203863dec4481 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| medialize | medialize/URI.js |
Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:01:08.296Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/1625558772840-medialize/URI.js"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/medialize/URI.js/commit/ac43ca8f80c042f0256fb551ea5203863dec4481"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "medialize/URI.js",
"vendor": "medialize",
"versions": [
{
"lessThanOrEqual": "1.19.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "URI.js is vulnerable to URL Redirection to Untrusted Site"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-16T10:11:17",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/1625558772840-medialize/URI.js"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/medialize/URI.js/commit/ac43ca8f80c042f0256fb551ea5203863dec4481"
}
],
"source": {
"advisory": "1625558772840-medialize/URI.js",
"discovery": "EXTERNAL"
},
"title": "Open Redirect in medialize/URI.js",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-3647",
"STATE": "PUBLIC",
"TITLE": "Open Redirect in medialize/URI.js"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "medialize/URI.js",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "1.19.6"
}
]
}
}
]
},
"vendor_name": "medialize"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "URI.js is vulnerable to URL Redirection to Untrusted Site"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-601 URL Redirection to Untrusted Site"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/1625558772840-medialize/URI.js",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/1625558772840-medialize/URI.js"
},
{
"name": "https://github.com/medialize/URI.js/commit/ac43ca8f80c042f0256fb551ea5203863dec4481",
"refsource": "MISC",
"url": "https://github.com/medialize/URI.js/commit/ac43ca8f80c042f0256fb551ea5203863dec4481"
}
]
},
"source": {
"advisory": "1625558772840-medialize/URI.js",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2021-3647",
"datePublished": "2021-07-16T10:11:17",
"dateReserved": "2021-07-14T00:00:00",
"dateUpdated": "2024-08-03T17:01:08.296Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-26291
Vulnerability from cvelistv5
Published
2020-12-30 23:40
Modified
2024-08-04 15:56
Severity ?
EPSS score ?
Summary
URI.js is a javascript URL mutation library (npm package urijs). In URI.js before version 1.19.4, the hostname can be spoofed by using a backslash (`\`) character followed by an at (`@`) character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. For example the URL `https://expected-example.com\@observed-example.com` will incorrectly return `observed-example.com` if using an affected version. Patched versions correctly return `expected-example.com`. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class. Version 1.19.4 is patched against all known payload variants. Version 1.19.3 has a partial patch but is still vulnerable to a payload variant.]
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/medialize/URI.js/security/advisories/GHSA-3329-pjwv-fjpg | x_refsource_CONFIRM | |
| https://www.npmjs.com/package/urijs | x_refsource_MISC | |
| https://github.com/medialize/URI.js/releases/tag/v1.19.4 | x_refsource_MISC | |
| https://github.com/medialize/URI.js/commit/b02bf037c99ac9316b77ff8bfd840e90becf1155 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:03.814Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/medialize/URI.js/security/advisories/GHSA-3329-pjwv-fjpg"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.npmjs.com/package/urijs"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/medialize/URI.js/releases/tag/v1.19.4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/medialize/URI.js/commit/b02bf037c99ac9316b77ff8bfd840e90becf1155"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "URI.js",
"vendor": "medialize",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "URI.js is a javascript URL mutation library (npm package urijs). In URI.js before version 1.19.4, the hostname can be spoofed by using a backslash (`\\`) character followed by an at (`@`) character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. For example the URL `https://expected-example.com\\@observed-example.com` will incorrectly return `observed-example.com` if using an affected version. Patched versions correctly return `expected-example.com`. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node\u0027s built-in URL class. Version 1.19.4 is patched against all known payload variants. Version 1.19.3 has a partial patch but is still vulnerable to a payload variant.]"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-30T23:40:16",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/medialize/URI.js/security/advisories/GHSA-3329-pjwv-fjpg"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.npmjs.com/package/urijs"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/medialize/URI.js/releases/tag/v1.19.4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/medialize/URI.js/commit/b02bf037c99ac9316b77ff8bfd840e90becf1155"
}
],
"source": {
"advisory": "GHSA-3329-pjwv-fjpg",
"discovery": "UNKNOWN"
},
"title": "Hostname spoofing in URI.js",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-26291",
"STATE": "PUBLIC",
"TITLE": "Hostname spoofing in URI.js"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "URI.js",
"version": {
"version_data": [
{
"version_value": "\u003c 1.19.4"
}
]
}
}
]
},
"vendor_name": "medialize"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "URI.js is a javascript URL mutation library (npm package urijs). In URI.js before version 1.19.4, the hostname can be spoofed by using a backslash (`\\`) character followed by an at (`@`) character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. For example the URL `https://expected-example.com\\@observed-example.com` will incorrectly return `observed-example.com` if using an affected version. Patched versions correctly return `expected-example.com`. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node\u0027s built-in URL class. Version 1.19.4 is patched against all known payload variants. Version 1.19.3 has a partial patch but is still vulnerable to a payload variant.]"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/medialize/URI.js/security/advisories/GHSA-3329-pjwv-fjpg",
"refsource": "CONFIRM",
"url": "https://github.com/medialize/URI.js/security/advisories/GHSA-3329-pjwv-fjpg"
},
{
"name": "https://www.npmjs.com/package/urijs",
"refsource": "MISC",
"url": "https://www.npmjs.com/package/urijs"
},
{
"name": "https://github.com/medialize/URI.js/releases/tag/v1.19.4",
"refsource": "MISC",
"url": "https://github.com/medialize/URI.js/releases/tag/v1.19.4"
},
{
"name": "https://github.com/medialize/URI.js/commit/b02bf037c99ac9316b77ff8bfd840e90becf1155",
"refsource": "MISC",
"url": "https://github.com/medialize/URI.js/commit/b02bf037c99ac9316b77ff8bfd840e90becf1155"
}
]
},
"source": {
"advisory": "GHSA-3329-pjwv-fjpg",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-26291",
"datePublished": "2020-12-30T23:40:16",
"dateReserved": "2020-10-01T00:00:00",
"dateUpdated": "2024-08-04T15:56:03.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-0868
Vulnerability from cvelistv5
Published
2022-03-06 15:20
Modified
2024-08-02 23:40
Severity ?
EPSS score ?
Summary
Open Redirect in GitHub repository medialize/uri.js prior to 1.19.10.
References
| ▼ | URL | Tags |
|---|---|---|
| https://huntr.dev/bounties/5f4db013-64bd-4a6b-9dad-870c296b0b02 | x_refsource_CONFIRM | |
| https://github.com/medialize/uri.js/commit/a8166fe02f3af6dc1b2b888dcbb807155aad9509 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| medialize | medialize/uri.js |
Version: unspecified < 1.19.10 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:04.559Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/5f4db013-64bd-4a6b-9dad-870c296b0b02"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/medialize/uri.js/commit/a8166fe02f3af6dc1b2b888dcbb807155aad9509"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "medialize/uri.js",
"vendor": "medialize",
"versions": [
{
"lessThan": "1.19.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open Redirect in GitHub repository medialize/uri.js prior to 1.19.10."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-06T15:20:09",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/5f4db013-64bd-4a6b-9dad-870c296b0b02"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/medialize/uri.js/commit/a8166fe02f3af6dc1b2b888dcbb807155aad9509"
}
],
"source": {
"advisory": "5f4db013-64bd-4a6b-9dad-870c296b0b02",
"discovery": "EXTERNAL"
},
"title": "Open Redirect in medialize/uri.js",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0868",
"STATE": "PUBLIC",
"TITLE": "Open Redirect in medialize/uri.js"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "medialize/uri.js",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.19.10"
}
]
}
}
]
},
"vendor_name": "medialize"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Open Redirect in GitHub repository medialize/uri.js prior to 1.19.10."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-601 URL Redirection to Untrusted Site"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/5f4db013-64bd-4a6b-9dad-870c296b0b02",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/5f4db013-64bd-4a6b-9dad-870c296b0b02"
},
{
"name": "https://github.com/medialize/uri.js/commit/a8166fe02f3af6dc1b2b888dcbb807155aad9509",
"refsource": "MISC",
"url": "https://github.com/medialize/uri.js/commit/a8166fe02f3af6dc1b2b888dcbb807155aad9509"
}
]
},
"source": {
"advisory": "5f4db013-64bd-4a6b-9dad-870c296b0b02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0868",
"datePublished": "2022-03-06T15:20:09",
"dateReserved": "2022-03-05T00:00:00",
"dateUpdated": "2024-08-02T23:40:04.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-27516
Vulnerability from cvelistv5
Published
2021-02-21 23:29
Modified
2024-08-03 21:26
Severity ?
EPSS score ?
Summary
URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash such as http:\/ and interprets the URI as a relative path.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/medialize/URI.js/commit/a1ad8bcbc39a4d136d7e252e76e957f3ece70839 | x_refsource_MISC | |
| https://github.com/medialize/URI.js/releases/tag/v1.19.6 | x_refsource_MISC | |
| https://advisory.checkmarx.net/advisory/CX-2021-4305 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:09.101Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/medialize/URI.js/commit/a1ad8bcbc39a4d136d7e252e76e957f3ece70839"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/medialize/URI.js/releases/tag/v1.19.6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisory.checkmarx.net/advisory/CX-2021-4305"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash such as http:\\/ and interprets the URI as a relative path."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-30T15:51:07",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/medialize/URI.js/commit/a1ad8bcbc39a4d136d7e252e76e957f3ece70839"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/medialize/URI.js/releases/tag/v1.19.6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisory.checkmarx.net/advisory/CX-2021-4305"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-27516",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash such as http:\\/ and interprets the URI as a relative path."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/medialize/URI.js/commit/a1ad8bcbc39a4d136d7e252e76e957f3ece70839",
"refsource": "MISC",
"url": "https://github.com/medialize/URI.js/commit/a1ad8bcbc39a4d136d7e252e76e957f3ece70839"
},
{
"name": "https://github.com/medialize/URI.js/releases/tag/v1.19.6",
"refsource": "MISC",
"url": "https://github.com/medialize/URI.js/releases/tag/v1.19.6"
},
{
"name": "https://advisory.checkmarx.net/advisory/CX-2021-4305",
"refsource": "MISC",
"url": "https://advisory.checkmarx.net/advisory/CX-2021-4305"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-27516",
"datePublished": "2021-02-21T23:29:56",
"dateReserved": "2021-02-21T00:00:00",
"dateUpdated": "2024-08-03T21:26:09.101Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-0613
Vulnerability from cvelistv5
Published
2022-02-16 08:40
Modified
2024-08-02 23:32
Severity ?
EPSS score ?
Summary
Authorization Bypass Through User-Controlled Key in NPM urijs prior to 1.19.8.
References
| ▼ | URL | Tags |
|---|---|---|
| https://huntr.dev/bounties/f53d5c42-c108-40b8-917d-9dad51535083 | x_refsource_CONFIRM | |
| https://github.com/medialize/uri.js/commit/6ea641cc8648b025ed5f30b090c2abd4d1a5249f | x_refsource_MISC | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MXSSATHALUSXXD2KT6UFZAX7EG4GR332/ | vendor-advisory, x_refsource_FEDORA |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| medialize | medialize/uri.js |
Version: unspecified < 1.19.8 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:32:46.462Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/f53d5c42-c108-40b8-917d-9dad51535083"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/medialize/uri.js/commit/6ea641cc8648b025ed5f30b090c2abd4d1a5249f"
},
{
"name": "FEDORA-2022-7cca5b6d38",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MXSSATHALUSXXD2KT6UFZAX7EG4GR332/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "medialize/uri.js",
"vendor": "medialize",
"versions": [
{
"lessThan": "1.19.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Authorization Bypass Through User-Controlled Key in NPM urijs prior to 1.19.8."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-25T18:06:11",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/f53d5c42-c108-40b8-917d-9dad51535083"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/medialize/uri.js/commit/6ea641cc8648b025ed5f30b090c2abd4d1a5249f"
},
{
"name": "FEDORA-2022-7cca5b6d38",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MXSSATHALUSXXD2KT6UFZAX7EG4GR332/"
}
],
"source": {
"advisory": "f53d5c42-c108-40b8-917d-9dad51535083",
"discovery": "EXTERNAL"
},
"title": "Authorization Bypass Through User-Controlled Key in medialize/uri.js",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0613",
"STATE": "PUBLIC",
"TITLE": "Authorization Bypass Through User-Controlled Key in medialize/uri.js"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "medialize/uri.js",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.19.8"
}
]
}
}
]
},
"vendor_name": "medialize"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Authorization Bypass Through User-Controlled Key in NPM urijs prior to 1.19.8."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-639 Authorization Bypass Through User-Controlled Key"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/f53d5c42-c108-40b8-917d-9dad51535083",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/f53d5c42-c108-40b8-917d-9dad51535083"
},
{
"name": "https://github.com/medialize/uri.js/commit/6ea641cc8648b025ed5f30b090c2abd4d1a5249f",
"refsource": "MISC",
"url": "https://github.com/medialize/uri.js/commit/6ea641cc8648b025ed5f30b090c2abd4d1a5249f"
},
{
"name": "FEDORA-2022-7cca5b6d38",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MXSSATHALUSXXD2KT6UFZAX7EG4GR332/"
}
]
},
"source": {
"advisory": "f53d5c42-c108-40b8-917d-9dad51535083",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0613",
"datePublished": "2022-02-16T08:40:09",
"dateReserved": "2022-02-15T00:00:00",
"dateUpdated": "2024-08-02T23:32:46.462Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-1233
Vulnerability from cvelistv5
Published
2022-04-04 19:30
Modified
2024-08-02 23:55
Severity ?
EPSS score ?
Summary
URL Confusion When Scheme Not Supplied in GitHub repository medialize/uri.js prior to 1.19.11.
References
| ▼ | URL | Tags |
|---|---|---|
| https://huntr.dev/bounties/228d5548-1109-49f8-8aee-91038e88371c | x_refsource_CONFIRM | |
| https://github.com/medialize/uri.js/commit/88805fd3da03bd7a5e60947adb49d182011f1277 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| medialize | medialize/uri.js |
Version: unspecified < 1.19.11 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:55:24.574Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/228d5548-1109-49f8-8aee-91038e88371c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/medialize/uri.js/commit/88805fd3da03bd7a5e60947adb49d182011f1277"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "medialize/uri.js",
"vendor": "medialize",
"versions": [
{
"lessThan": "1.19.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "URL Confusion When Scheme Not Supplied in GitHub repository medialize/uri.js prior to 1.19.11."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-115",
"description": "CWE-115 Misinterpretation of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-04T19:30:15",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/228d5548-1109-49f8-8aee-91038e88371c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/medialize/uri.js/commit/88805fd3da03bd7a5e60947adb49d182011f1277"
}
],
"source": {
"advisory": "228d5548-1109-49f8-8aee-91038e88371c",
"discovery": "EXTERNAL"
},
"title": "URL Confusion When Scheme Not Supplied in medialize/uri.js",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1233",
"STATE": "PUBLIC",
"TITLE": "URL Confusion When Scheme Not Supplied in medialize/uri.js"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "medialize/uri.js",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.19.11"
}
]
}
}
]
},
"vendor_name": "medialize"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "URL Confusion When Scheme Not Supplied in GitHub repository medialize/uri.js prior to 1.19.11."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-115 Misinterpretation of Input"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/228d5548-1109-49f8-8aee-91038e88371c",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/228d5548-1109-49f8-8aee-91038e88371c"
},
{
"name": "https://github.com/medialize/uri.js/commit/88805fd3da03bd7a5e60947adb49d182011f1277",
"refsource": "MISC",
"url": "https://github.com/medialize/uri.js/commit/88805fd3da03bd7a5e60947adb49d182011f1277"
}
]
},
"source": {
"advisory": "228d5548-1109-49f8-8aee-91038e88371c",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1233",
"datePublished": "2022-04-04T19:30:15",
"dateReserved": "2022-04-04T00:00:00",
"dateUpdated": "2024-08-02T23:55:24.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-24723
Vulnerability from cvelistv5
Published
2022-03-03 20:35
Modified
2024-08-03 04:20
Severity ?
EPSS score ?
Summary
URI.js is a Javascript URL mutation library. Before version 1.19.9, whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly. This issue has been patched in version 1.19.9. Removing leading whitespace from values before passing them to URI.parse can be used as a workaround.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/medialize/URI.js/security/advisories/GHSA-gmv4-r438-p67f | x_refsource_CONFIRM | |
| https://github.com/medialize/uri.js/commit/86d10523a6f6e8dc4300d99d671335ee362ad316 | x_refsource_MISC | |
| https://github.com/medialize/URI.js/releases/tag/v1.19.9 | x_refsource_MISC | |
| https://huntr.dev/bounties/82ef23b8-7025-49c9-b5fc-1bb9885788e5/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.182Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/medialize/URI.js/security/advisories/GHSA-gmv4-r438-p67f"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/medialize/uri.js/commit/86d10523a6f6e8dc4300d99d671335ee362ad316"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/medialize/URI.js/releases/tag/v1.19.9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://huntr.dev/bounties/82ef23b8-7025-49c9-b5fc-1bb9885788e5/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "URI.js",
"vendor": "medialize",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "URI.js is a Javascript URL mutation library. Before version 1.19.9, whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly. This issue has been patched in version 1.19.9. Removing leading whitespace from values before passing them to URI.parse can be used as a workaround."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-03T20:35:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/medialize/URI.js/security/advisories/GHSA-gmv4-r438-p67f"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/medialize/uri.js/commit/86d10523a6f6e8dc4300d99d671335ee362ad316"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/medialize/URI.js/releases/tag/v1.19.9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://huntr.dev/bounties/82ef23b8-7025-49c9-b5fc-1bb9885788e5/"
}
],
"source": {
"advisory": "GHSA-gmv4-r438-p67f",
"discovery": "UNKNOWN"
},
"title": "Improper Input Validation in URI.js",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24723",
"STATE": "PUBLIC",
"TITLE": "Improper Input Validation in URI.js"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "URI.js",
"version": {
"version_data": [
{
"version_value": "\u003c 1.19.9"
}
]
}
}
]
},
"vendor_name": "medialize"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "URI.js is a Javascript URL mutation library. Before version 1.19.9, whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly. This issue has been patched in version 1.19.9. Removing leading whitespace from values before passing them to URI.parse can be used as a workaround."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20: Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/medialize/URI.js/security/advisories/GHSA-gmv4-r438-p67f",
"refsource": "CONFIRM",
"url": "https://github.com/medialize/URI.js/security/advisories/GHSA-gmv4-r438-p67f"
},
{
"name": "https://github.com/medialize/uri.js/commit/86d10523a6f6e8dc4300d99d671335ee362ad316",
"refsource": "MISC",
"url": "https://github.com/medialize/uri.js/commit/86d10523a6f6e8dc4300d99d671335ee362ad316"
},
{
"name": "https://github.com/medialize/URI.js/releases/tag/v1.19.9",
"refsource": "MISC",
"url": "https://github.com/medialize/URI.js/releases/tag/v1.19.9"
},
{
"name": "https://huntr.dev/bounties/82ef23b8-7025-49c9-b5fc-1bb9885788e5/",
"refsource": "MISC",
"url": "https://huntr.dev/bounties/82ef23b8-7025-49c9-b5fc-1bb9885788e5/"
}
]
},
"source": {
"advisory": "GHSA-gmv4-r438-p67f",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24723",
"datePublished": "2022-03-03T20:35:11",
"dateReserved": "2022-02-10T00:00:00",
"dateUpdated": "2024-08-03T04:20:50.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-1243
Vulnerability from cvelistv5
Published
2022-04-05 15:05
Modified
2024-08-02 23:55
Severity ?
EPSS score ?
Summary
CRHTLF can lead to invalid protocol extraction potentially leading to XSS in GitHub repository medialize/uri.js prior to 1.19.11.
References
| ▼ | URL | Tags |
|---|---|---|
| https://huntr.dev/bounties/8c5afc47-1553-4eba-a98e-024e4cc3dfb7 | x_refsource_CONFIRM | |
| https://github.com/medialize/uri.js/commit/b0c9796aa1a95a85f40924fb18b1e5da3dc8ffae | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| medialize | medialize/uri.js |
Version: unspecified < 1.19.11 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:55:24.671Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/8c5afc47-1553-4eba-a98e-024e4cc3dfb7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/medialize/uri.js/commit/b0c9796aa1a95a85f40924fb18b1e5da3dc8ffae"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "medialize/uri.js",
"vendor": "medialize",
"versions": [
{
"lessThan": "1.19.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CRHTLF can lead to invalid protocol extraction potentially leading to XSS in GitHub repository medialize/uri.js prior to 1.19.11."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-05T15:05:18",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/8c5afc47-1553-4eba-a98e-024e4cc3dfb7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/medialize/uri.js/commit/b0c9796aa1a95a85f40924fb18b1e5da3dc8ffae"
}
],
"source": {
"advisory": "8c5afc47-1553-4eba-a98e-024e4cc3dfb7",
"discovery": "EXTERNAL"
},
"title": "CRHTLF can lead to invalid protocol extraction potentially leading to XSS in medialize/uri.js",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1243",
"STATE": "PUBLIC",
"TITLE": "CRHTLF can lead to invalid protocol extraction potentially leading to XSS in medialize/uri.js"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "medialize/uri.js",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.19.11"
}
]
}
}
]
},
"vendor_name": "medialize"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CRHTLF can lead to invalid protocol extraction potentially leading to XSS in GitHub repository medialize/uri.js prior to 1.19.11."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/8c5afc47-1553-4eba-a98e-024e4cc3dfb7",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/8c5afc47-1553-4eba-a98e-024e4cc3dfb7"
},
{
"name": "https://github.com/medialize/uri.js/commit/b0c9796aa1a95a85f40924fb18b1e5da3dc8ffae",
"refsource": "MISC",
"url": "https://github.com/medialize/uri.js/commit/b0c9796aa1a95a85f40924fb18b1e5da3dc8ffae"
}
]
},
"source": {
"advisory": "8c5afc47-1553-4eba-a98e-024e4cc3dfb7",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1243",
"datePublished": "2022-04-05T15:05:18",
"dateReserved": "2022-04-05T00:00:00",
"dateUpdated": "2024-08-02T23:55:24.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}