GHSA-3vjf-82ff-p4r3

Опубликовано: 06 апр. 2022

Источник: github

Github: Прошло ревью

CVSS3: 7.2

Описание

Incorrect protocol extraction via \r, \n and \t characters

\r, \n and \t characters in user-input URLs can potentially lead to incorrect protocol extraction when using npm package urijs prior to version 1.19.11.

This can lead to XSS when the module is used to prevent passing in malicious javascript: links into HTML or Javascript (see following example):

const parse = require('urijs') const express = require('express') const app = express() const port = 3000 input = "ja\r\nvascript:alert(1)" url = parse(input) console.log(url) app.get('/', (req, res) => { if (url.protocol !== "javascript:") {res.send("<iframe src=\'" + input + "\'>CLICK ME!</iframe>")} }) app.listen(port, () => { console.log(`Example app listening on port ${port}`) })

Ссылки

Пакеты

Наименование

urijs

npm

Затронутые версииВерсия исправления

< 1.19.11

1.19.11

EPSS

Процентиль: 56%

0.00333

Низкий

7.2 High

CVSS3

CVE ID

CVE-2022-1243

Дефекты

CWE-20

Связанные уязвимости

CVE-2022-1243

CVSS3: 6.1

nvd

почти 4 года назад

CRHTLF can lead to invalid protocol extraction potentially leading to XSS in GitHub repository medialize/uri.js prior to 1.19.11.

EPSS

Процентиль: 56%

0.00333

Низкий

7.2 High

CVSS3

CVE ID

CVE-2022-1243

Дефекты

CWE-20