Описание
The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding.
| Релиз | Статус | Примечание |
|---|---|---|
| artful | ignored | end of life |
| bionic | ignored | end of standard support, was needed |
| cosmic | ignored | end of life |
| devel | released | 4.16.4-1 |
| disco | released | 4.16.4-1 |
| eoan | released | 4.16.4-1 |
| esm-apps/bionic | needed | |
| esm-apps/focal | released | 4.16.4-1 |
| esm-apps/jammy | released | 4.16.4-1 |
| esm-apps/noble | released | 4.16.4-1 |
Показывать по
Ссылки на источники
EPSS
4.3 Medium
CVSS2
6.1 Medium
CVSS3
Связанные уязвимости
The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding.
The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding.
The Express web framework before 3.11 and 4.x before 4.5 for Node.js d ...
EPSS
4.3 Medium
CVSS2
6.1 Medium
CVSS3