CVE-2014-6393
published 2017-08-09CVE-2014-6393: The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses…
PriorityP421medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EPSS
1.14%
62.5th percentile
The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-express | < node-express 4.16.4-1 (bookworm) | node-express 4.16.4-1 (bookworm) |
| express | express | >= 0 < 3.11.0 | 3.11.0 |
| express | express | >= 4.0.0 < 4.5.0 | 4.5.0 |
| openjsf | express | <= 3.10.5 | — |
| openjsf | express | — | — |
| openjsf | express | — | — |
| openjsf | express | — | — |
| openjsf | express | — | — |
| openjsf | express | — | — |
| openjsf | express | — | — |
| openjsf | express | — | — |
| openjsf | express | — | — |
| openjsf | express | — | — |
| openjsf | express | — | — |
| openjsf | express | — | — |
| openjsf | express | — | — |
| openjsf | express | — | — |
| openjsf | express | — | — |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_debian6.1LOW
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
No Charset in Content-Type Header in express
osv·2018-10-23
CVE-2014-6393 [MEDIUM] No Charset in Content-Type Header in express
No Charset in Content-Type Header in express
Vulnerable versions of express do not specify a charset field in the content-type header while displaying 400 level response messages. The lack of enforcing user's browser to set correct charset, could be leveraged by an attacker to perform a cross-site scripting attack, using non-standard encodings, like UTF-7.
## Recommendation
For express 3.x, update express to version 3.11 or later.
For express 4.x, update express to version 4.5 or later.
GHSA
No Charset in Content-Type Header in express
ghsa·2018-10-23
CVE-2014-6393 [MEDIUM] CWE-79 No Charset in Content-Type Header in express
No Charset in Content-Type Header in express
Vulnerable versions of express do not specify a charset field in the content-type header while displaying 400 level response messages. The lack of enforcing user's browser to set correct charset, could be leveraged by an attacker to perform a cross-site scripting attack, using non-standard encodings, like UTF-7.
## Recommendation
For express 3.x, update express to version 3.11 or later.
For express 4.x, update express to version 4.5 or later.
OSV
CVE-2014-6393: The Express web framework before 3
osv·2017-08-09·CVSS 6.1
CVE-2014-6393 [MEDIUM] CVE-2014-6393: The Express web framework before 3
The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding.
Red Hat
express: cross-site scripting via content-type header
vendor_redhat·2015-03-15·CVSS 6.1
CVE-2014-6393 [MEDIUM] CWE-79 express: cross-site scripting via content-type header
express: cross-site scripting via content-type header
The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding.
Package: nodejs010-nodejs-express (Red Hat OpenShift Enterprise 2) - Will not fix
Debian
CVE-2014-6393: node-express - The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not pr...
vendor_debian·2014·CVSS 6.1
CVE-2014-6393 [MEDIUM] CVE-2014-6393: node-express - The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not pr...
The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding.
Scope: local
bookworm: resolved (fixed in 4.16.4-1)
bullseye: resolved (fixed in 4.16.4-1)
forky: resolved (fixed in 4.16.4-1)
sid: resolved (fixed in 4.16.4-1)
trixie: resolved (fixed in 4.16.4-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-6393 nodejs-express: express: cross-site scripting via content-type header [fedora-all]
bugzilla·2015-03-18·CVSS 6.1
CVE-2014-6393 [MEDIUM] CVE-2014-6393 nodejs-express: express: cross-site scripting via content-type header [fedora-all]
CVE-2014-6393 nodejs-express: express: cross-site scripting via content-type header [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple sup
Bugzilla
CVE-2014-6393 express: cross-site scripting via content-type header
bugzilla·2015-03-18·CVSS 6.1
CVE-2014-6393 [MEDIUM] CVE-2014-6393 express: cross-site scripting via content-type header
CVE-2014-6393 express: cross-site scripting via content-type header
The following flaw was found in Express:
Vulnerable versions of express do not specify a charset field in the content-type heade while displaying 400 level response messages. The lack of enforcing user's browser to set correct charset, could be leveraged by an attacker to perform a cross-site scripting attack, using non-standard encodings, like UTF-7.
This flaw is fixed in version 3.11 and 4.5 of Express.
External References:
https://nodesecurity.io/advisories/express-no-charset-in-content-type-header
Discussion:
Created nodejs-express tracking bugs for this issue:
Affects: fedora-all [bug 1203191]
Affects: epel-6 [bug 1203192]
Bugzilla
CVE-2014-6393 nodejs-express: express: cross-site scripting via content-type header [epel-6]
bugzilla·2015-03-18·CVSS 6.1
CVE-2014-6393 [MEDIUM] CVE-2014-6393 nodejs-express: express: cross-site scripting via content-type header [epel-6]
CVE-2014-6393 nodejs-express: express: cross-site scripting via content-type header [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-6 tracking bug for nodejs-expre
2017-08-09
Published