Lucene search

GitHub Advisory DatabaseGHSA-M6FV-JMCG-4JFG

HistorySep 10, 2024 - 7:42 p.m.

send vulnerable to template injection that can lead to XSS

2024-09-1019:42:41

CWE-79

GitHub Advisory Database

github.com

vulnerability

template injection

xss

sendstream.redirect

patch

workaround

user input

exploit

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

AI Score

6.8

Confidence

High

EPSS

Percentile

9.6%

JSON

Impact

passing untrusted user input - even after sanitizing it - to SendStream.redirect() may execute untrusted code

Patches

this issue is patched in send 0.19.0

Workarounds

users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist

Details

successful exploitation of this vector requires the following:

The attacker MUST control the input to response.redirect()
express MUST NOT redirect before the template appears
the browser MUST NOT complete redirection before:
the user MUST click on the link in the template

Affected configurations

Vulners

Node

send_projectsendRange<0.19.0node.js

VendorProductVersionCPE
send_projectsend*cpe:2.3:a:send_project:send:*:*:*:*:*:node.js:*:*

Vendor	Product	Version	CPE
send_project	send	*	cpe:2.3:a:send_project:send::::::node.js::*

References

github.com/advisories/GHSA-m6fv-jmcg-4jfg

github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35

github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg

nvd.nist.gov/vuln/detail/CVE-2024-43799