CVE-2024-10491

A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `<>` to preload malicious resources. This vulnerability is especially relevant for dynamic parameters.
References
Link Resource
https://www.herodevs.com/vulnerability-directory/cve-2024-10491 Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:openjsf:express:*:*:*:*:*:node.js:*:*

History

06 Nov 2024, 23:08

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 4.0
v2 : unknown
v3 : 5.3
References () https://www.herodevs.com/vulnerability-directory/cve-2024-10491 - () https://www.herodevs.com/vulnerability-directory/cve-2024-10491 - Exploit, Third Party Advisory
CPE cpe:2.3:a:openjsf:express:*:*:*:*:*:node.js:*:*
CWE NVD-CWE-noinfo
First Time Openjsf
Openjsf express

01 Nov 2024, 12:57

Type Values Removed Values Added
Summary
  • (es) Se ha identificado una vulnerabilidad en la función response.links de Express, que permite la inyección arbitraria de recursos en el encabezado Link cuando se utilizan datos no desinfectados. El problema surge de una desinfección incorrecta en los valores del encabezado `Link`, que puede permitir una combinación de caracteres como `,`, `;` y `&lt;&gt;` para precargar recursos maliciosos. Esta vulnerabilidad es especialmente relevante para los parámetros dinámicos.

29 Oct 2024, 17:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-29 17:15

Updated : 2024-11-06 23:08


NVD link : CVE-2024-10491

Mitre link : CVE-2024-10491

CVE.ORG link : CVE-2024-10491


JSON object : View

Products Affected

openjsf

  • express
CWE
NVD-CWE-noinfo CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')