CVE-2014-6393

描述

The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding.

受影響套件(2)

• Debian/node-expressfrom 0, < 4.16.4-1
• npm/expressfrom 0, < 3.11.0

CVSS 分數

參考連結(5)

• ADVISORYhttps://github.com/advisories/GHSA-gpvr-g6gh-9mc2
• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2014-6393
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2014-6393
• WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=1203190
• WEBhttps://www.npmjs.com/advisories/8