Lucene search

GitHub_MVULNRICHMENT:CVE-2024-43799

HistorySep 10, 2024 - 2:45 p.m.

CVE-2024-43799 send vulnerable to template injection that can lead to XSS

2024-09-1014:45:06

CWE-79

GitHub_M

github.com

cve-2024-43799

send library

xss

template injection

untrusted code

patch

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

AI Score

Confidence

Low

EPSS

Percentile

9.6%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.

References

github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35

github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg