Lucene search
GoogleOSV:GHSA-GPVR-G6GH-9MC2HistoryOct 23, 2018 - 5:22 p.m.
No Charset in Content-Type Header in express
2018-10-2317:22:54
Google
osv.dev
8
0.001 Low
EPSS
Percentile
31.1%
Vulnerable versions of express do not specify a charset field in the content-type header while displaying 400 level response messages. The lack of enforcing user’s browser to set correct charset, could be leveraged by an attacker to perform a cross-site scripting attack, using non-standard encodings, like UTF-7.
Recommendation
For express 3.x, update express to version 3.11 or later.
For express 4.x, update express to version 4.5 or later.
Related
nodejs
nodejs
No Charset in Content-Type Header
2015-10-17 19:41:46
debiancve
debiancve
CVE-2014-6393
2017-08-09 18:29:00
prion
prion
Cross site scripting
2017-08-09 18:29:00
cvelist
cvelist
CVE-2014-6393
2017-08-09 18:00:00
cve
cve
CVE-2014-6393
2017-08-09 18:29:00
ubuntucve
ubuntucve
CVE-2014-6393
2017-08-09 00:00:00
nvd
nvd
CVE-2014-6393
2017-08-09 18:29:00
github
github
No Charset in Content-Type Header in express
2018-10-23 17:22:54