216.73.216.170

CVE-2024-10491

· Published 29/10/2024 17:15 · Modified 06/11/2024 23:08

Labels: CVE-2024-10491 2024-10-2936c7be3b-2937-45df-85ea-ca7133ea542cCVE-2024-10491CWE-74NVD-CWE-noinfo

Essential information

Published
29/10/2024 17:15
Modified
06/11/2024 23:08
Author
Creator
CVSS
4.0 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

CVSS metrics

Description

A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `<>` to preload malicious resources. This vulnerability is especially relevant for dynamic parameters.

NVD status

Status
Analyzed — CVE has been recently published to the CVE List and has been received by the NVD.
Source
36c7be3b-2937-45df-85ea-ca7133ea542c
NVD
View on NVD

Affected products (CPE)

ProductCPE
openjsf / express cpe:2.3:a:openjsf:express:*:*:*:*:*:node.js:*:*

References