CVE-2024-43799Cross-site Scripting in Send

CWE-79Cross-site Scripting8 documents7 sources
Severity
4.7MEDIUMNVD
CNA5.0
EPSS
0.2%
top 61.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Pillarjs SendSend Project Send
Timeline
PublishedSep 10

Description

Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 1.6 | Impact: 2.7

Affected Packages3 packages

CVEListV5pillarjs/send< 0.19.0
NVDsend_project/send< 0.19.0
npmsend_project/send< 0.19.0

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
CVE-2024-43799: Send is a library for streaming files from the file system as a http response2024-09-10
GHSA
send vulnerable to template injection that can lead to XSS2024-09-10
OSV
send vulnerable to template injection that can lead to XSS2024-09-10
CVEList
send vulnerable to template injection that can lead to XSS2024-09-10

📋Vendor Advisories

3
Microsoft
send vulnerable to template injection that can lead to XSS2024-09-10
Red Hat
send: Code Execution Vulnerability in Send Library2024-09-10
Debian
CVE-2024-43799: node-send - Send is a library for streaming files from the file system as a http response. S...2024
CVE-2024-43799 — Cross-site Scripting in Pillarjs Send | cvebase