Debian Node-Express vulnerabilities
4 known vulnerabilities affecting debian/node-express.
Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
MEDIUM3LOW1
Vulnerabilities
Page 1 of 1
CVE-2024-10491P4MEDIUMCVSS 4.0fixed in node-express 4.1.1~dfsg-1 (bookworm)2024
CVE-2024-10491 [MEDIUM] CVE-2024-10491: node-express - A vulnerability has been identified in the Express response.links function, allo...
A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `<>` to preload malicious resources. This vulnerability is es
debian
CVE-2024-29041P4MEDIUMCVSS 6.1fixed in node-express 4.19.2+~cs8.36.21-1 (forky)2024
CVE-2024-29041 [MEDIUM] CVE-2024-29041: node-express - Express.js minimalist web framework for node. Versions of Express.js prior to 4....
Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) o
debian
CVE-2014-6393P4LOWCVSS 6.1fixed in node-express 4.16.4-1 (bookworm)2014
CVE-2014-6393 [MEDIUM] CVE-2014-6393: node-express - The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not pr...
The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding.
Scope: local
bookworm: resolved (fixed in 4.16.4-1)
bullseye: resolved (fixed in 4.1
debian
CVE-2024-43796P4MEDIUMCVSS 5.0fixed in node-express 4.21.0+~cs8.36.26-1 (forky)2024
CVE-2024-43796 [MEDIUM] CVE-2024-43796: node-express - Express.js minimalist web framework for node. In express < 4.20.0, passing untru...
Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 4.21.0+~cs8.36.26-1)
sid: resolved (fixed in 4.21.0+~cs8.36.26-1)
trixie: r
debian