VDB

CISA-2024-43796

CISA-2024-43796 PUBLISHED CVSS 5 MEDIUM

Reported by GitHub_M · Published September 10, 2024

Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.

Risk Scores

CVSS 3.1
5
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

Affected Products

VendorProductVersions
expressjsexpress< 4.20.0, >= 5.0.0-alpha.1, < 5.0.0
expressjsexpress*, *, < 4.20.0

Timeline

  • Sep 10, 2024 CVE Published
  • Sep 10, 2024 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›