CVE-2024-43796

Published: Sep 10, 2024Modified: Sep 20, 2024

4.7

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 1.6 / Impact: 2.7

Source: NVD

Description

Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.

Affected (12)

Products: Openjsf: Express

Openjsf

1 product

Express

Configuration A

12 vulnerable

Vulnerable Software	Affected Versions
Openjsf Express	Before 4.20.0
Openjsf Express	Version 5.0.0 alpha1
Openjsf Express	Version 5.0.0 alpha2
Openjsf Express	Version 5.0.0 alpha3
Openjsf Express	Version 5.0.0 alpha4
Openjsf Express	Version 5.0.0 alpha5
Openjsf Express	Version 5.0.0 alpha6
Openjsf Express	Version 5.0.0 alpha7
Openjsf Express	Version 5.0.0 alpha8
Openjsf Express	Version 5.0.0 beta1
Openjsf Express	Version 5.0.0 beta2
Openjsf Express	Version 5.0.0 beta3

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553

Source: security-advisories@github.com

Patch

https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.