CVE-2024-43800 — Cross-site Scripting in Serve-static

CWE-79 — Cross-site Scripting7 documents6 sources

Severity

4.7MEDIUMNVD

EPSS

0.9%

top 24.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Expressjs Serve-static Openjsf Serve-static Debian Node-serve-static +6 more

Timeline

PublishedSep 10

Description

serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 1.6 | Impact: 2.7

Affected Packages9 packages

▶NVDopenjsf/serve-static2.0.0 — 2.1.0+1

▶CVEListV5expressjs/serve-static< 1.16.0+1

▶debiandebian/node-serve-static< node-serve-static 2.1.0+~1.15.7-1 (forky)

▶npmserve-static_project/serve-static2.0.0 — 2.1.0+1

▶msrcmsrc/cbl_mariner_2.0_arm

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

serve-static vulnerable to template injection that can lead to XSS↗2024-09-10

▶

OSV

serve-static vulnerable to template injection that can lead to XSS↗2024-09-10

▶

OSV

CVE-2024-43800: serve-static serves static files↗2024-09-10

▶

📋Vendor Advisories

Microsoft

serve-static affected by template injection that can lead to XSS↗2024-09-10

▶

Red Hat

serve-static: Improper Sanitization in serve-static↗2024-09-10

▶

Debian

CVE-2024-43800: node-serve-static - serve-static serves static files. serve-static passes untrusted user input - eve...↗2024

▶