CVE-2024-43796

Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:openjsf:express:*:*:*:*:*:node.js:*:*
cpe:2.3:a:openjsf:express:5.0.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:openjsf:express:5.0.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:openjsf:express:5.0.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:openjsf:express:5.0.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:openjsf:express:5.0.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:openjsf:express:5.0.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:openjsf:express:5.0.0:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:openjsf:express:5.0.0:alpha8:*:*:*:node.js:*:*
cpe:2.3:a:openjsf:express:5.0.0:beta1:*:*:*:node.js:*:*
cpe:2.3:a:openjsf:express:5.0.0:beta2:*:*:*:node.js:*:*
cpe:2.3:a:openjsf:express:5.0.0:beta3:*:*:*:node.js:*:*

History

20 Sep 2024, 16:07

Type Values Removed Values Added
References () https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553 - () https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553 - Patch
References () https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx - () https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx - Vendor Advisory
CVSS v2 : unknown
v3 : 5.0
v2 : unknown
v3 : 4.7
First Time Openjsf express
Openjsf
Summary
  • (es) Express.js, el framework web minimalista para Node. En Express anterior a la versión 4.20.0, pasar una entrada de usuario no confiable (incluso después de desinfectarla) a response.redirect() puede ejecutar código no confiable. Este problema se solucionó en Express 4.20.0.
CPE cpe:2.3:a:openjsf:express:5.0.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:openjsf:express:5.0.0:beta2:*:*:*:node.js:*:*
cpe:2.3:a:openjsf:express:5.0.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:openjsf:express:5.0.0:beta3:*:*:*:node.js:*:*
cpe:2.3:a:openjsf:express:5.0.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:openjsf:express:5.0.0:alpha7:*:*:*:node.js:*:*
cpe:2.3:a:openjsf:express:5.0.0:beta1:*:*:*:node.js:*:*
cpe:2.3:a:openjsf:express:5.0.0:alpha8:*:*:*:node.js:*:*
cpe:2.3:a:openjsf:express:5.0.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:openjsf:express:*:*:*:*:*:node.js:*:*
cpe:2.3:a:openjsf:express:5.0.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:openjsf:express:5.0.0:alpha1:*:*:*:node.js:*:*

10 Sep 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-10 15:15

Updated : 2024-09-20 16:07


NVD link : CVE-2024-43796

Mitre link : CVE-2024-43796

CVE.ORG link : CVE-2024-43796


JSON object : View

Products Affected

openjsf

  • express
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')