Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-XRH7-M5PP-39R6
HistoryJan 31, 2023 - 10:39 p.m.

XSS Attack with Express API

2023-01-3122:39:40
CWE-79
GitHub Advisory Database
github.com
13
xss attack
express api
version 2.0.0.

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

0.001 Low

EPSS

Percentile

27.3%

JSON

Impact

XSS attack - anyone using the Express API is impacted

Patches

The problem has been resolved. Users should upgrade to version 2.0.0.

Workarounds

Don’t pass user supplied data directly to res.renderFile.

References

Are there any links users can visit to find out more?
See https://github.com/eta-dev/eta/releases/tag/v2.0.0

Affected configurations

Vulners
Node
eta-devetaRange<2.0.0
CPENameOperatorVersion
etalt2.0.0

Related

osv 2
cve 1
nvd 1
veracode 1
prion 1
cvelist 1
osv
osv
CVE-2023-23630
2023-02-01 01:15:08
XSS Attack with Express API
2023-01-31 22:39:40
cve
cve
CVE-2023-23630
2023-02-01 01:15:08
nvd
nvd
CVE-2023-23630
2023-02-01 01:15:08
veracode
veracode
Cross-site Scripting (XSS)
2023-02-06 06:25:15
prion
prion
Design/Logic Flaw
2023-02-01 01:15:00
cvelist
cvelist
CVE-2023-23630 Cross-site (XSS) vulnerability with Express API in Eta
2023-02-01 00:38:29

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

0.001 Low

EPSS

Percentile

27.3%

JSON
Related for GHSA-XRH7-M5PP-39R6
osv2cve1nvd1veracode1prion1cvelist1