Lucene search
Paweł HałdrzyńskiNODEJS:8HistoryOct 17, 2015 - 7:41 p.m.
No Charset in Content-Type Header
2015-10-1719:41:46
Paweł Hałdrzyński
www.npmjs.com
26
0.001 Low
EPSS
Percentile
31.1%
Overview
Vulnerable versions of express do not specify a charset field in the content-type header while displaying 400 level response messages. The lack of enforcing user’s browser to set correct charset, could be leveraged by an attacker to perform a cross-site scripting attack, using non-standard encodings, like UTF-7.
Recommendation
For express 3.x, update express to version 3.11 or later.
For express 4.x, update express to version 4.5 or later.
References
| CPE | Name | Operator | Version |
|---|---|---|---|
| express | lt | 3.11 || >= 4 <4.5 |
Related
debiancve
debiancve
CVE-2014-6393
2017-08-09 18:29:00
prion
prion
Cross site scripting
2017-08-09 18:29:00
cvelist
cvelist
CVE-2014-6393
2017-08-09 18:00:00
cve
cve
CVE-2014-6393
2017-08-09 18:29:00
ubuntucve
ubuntucve
CVE-2014-6393
2017-08-09 00:00:00
osv
osv
No Charset in Content-Type Header in express
2018-10-23 17:22:54
nvd
nvd
CVE-2014-6393
2017-08-09 18:29:00
github
github
No Charset in Content-Type Header in express
2018-10-23 17:22:54