CVE-2014-6393 — Cross-site Scripting in Express

CWE-79 — Cross-site Scripting10 documents7 sources

Severity

6.1MEDIUMNVD

EPSS

0.3%

top 47.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Express Openjsf Express

Timeline

PublishedAug 9

Latest updateOct 23

Description

The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶npmexpress/express4.0.0 — 4.5.0+1

▶NVDopenjsf/express3.10.5+14

🔴Vulnerability Details

OSV

No Charset in Content-Type Header in express↗2018-10-23

▶

GHSA

No Charset in Content-Type Header in express↗2018-10-23

▶

OSV

CVE-2014-6393: The Express web framework before 3↗2017-08-09

▶

CVEList

CVE-2014-6393: The Express web framework before 3↗2017-08-09

▶

📋Vendor Advisories

Red Hat

express: cross-site scripting via content-type header↗2015-03-15

▶

Debian

CVE-2014-6393: node-express - The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not pr...↗2014

▶

💬Community

Bugzilla

CVE-2014-6393 nodejs-express: express: cross-site scripting via content-type header [fedora-all]↗2015-03-18

▶

Bugzilla

CVE-2014-6393 express: cross-site scripting via content-type header↗2015-03-18

▶

Bugzilla

CVE-2014-6393 nodejs-express: express: cross-site scripting via content-type header [epel-6]↗2015-03-18

▶