Express for Node.js — минималистичный и гибкий веб-фреймворк для приложений Node.js
Релизный цикл, информация об уязвимостях
График релизов
Количество 25
BDU:2025-00076
Уязвимость библиотеки просмотрщика документов в веб-версии клиента системы коммуникаций eXpress, вызванная недостаточной защитой структуры веб-страницы, позволяющая нарушителю выполнить произвольный Java Script-код
GHSA-cm5g-3pgc-8rg4
Express ressource injection
CVE-2024-10491
A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `<>` to preload malicious resources. This vulnerability is especially relevant for dynamic parameters.
CVE-2024-10491
A vulnerability has been identified in the Express response.linksfunct ...
CVE-2024-10491
A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `<>` to preload malicious resources. This vulnerability is especially relevant for dynamic parameters.
CVE-2024-10491
A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `<>` to preload malicious resources. This vulnerability is especially relevant for dynamic parameters.
GHSA-qw6h-vgh9-j6wx
express vulnerable to XSS via response.redirect()
CVE-2024-43796
Express.js minimalist web framework for node. In express < 4.20.0, pas ...
CVE-2024-43796
Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
CVE-2024-43796
Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | BDU:2025-00076 Уязвимость библиотеки просмотрщика документов в веб-версии клиента системы коммуникаций eXpress, вызванная недостаточной защитой структуры веб-страницы, позволяющая нарушителю выполнить произвольный Java Script-код | CVSS3: 8 | 6 месяцев назад | |
| GHSA-cm5g-3pgc-8rg4 Express ressource injection | CVSS3: 4 | 0% Низкий | 8 месяцев назад |
 | CVE-2024-10491 A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `<>` to preload malicious resources. This vulnerability is especially relevant for dynamic parameters. | CVSS3: 4 | 0% Низкий | 8 месяцев назад |
| CVE-2024-10491 A vulnerability has been identified in the Express response.linksfunct ... | CVSS3: 4 | 0% Низкий | 8 месяцев назад |
 | CVE-2024-10491 A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `<>` to preload malicious resources. This vulnerability is especially relevant for dynamic parameters. | CVSS3: 4 | 0% Низкий | 8 месяцев назад |
 | CVE-2024-10491 A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `<>` to preload malicious resources. This vulnerability is especially relevant for dynamic parameters. | CVSS3: 5.4 | 0% Низкий | 8 месяцев назад |
| GHSA-qw6h-vgh9-j6wx express vulnerable to XSS via response.redirect() | CVSS3: 5 | 0% Низкий | 9 месяцев назад |
| CVE-2024-43796 Express.js minimalist web framework for node. In express < 4.20.0, pas ... | CVSS3: 5 | 0% Низкий | 9 месяцев назад |
| CVE-2024-43796 Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0. | CVSS3: 5 | 0% Низкий | 9 месяцев назад |
| CVE-2024-43796 Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0. | CVSS3: 5 | 0% Низкий | 9 месяцев назад |
Уязвимостей на страницу