Bug 1203190 (CVE-2014-6393)

Summary: CVE-2014-6393 express: cross-site scripting via content-type header
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bleanhar, ccoleman, dmcphers, jdetiber, jialiu, jkeck, jokerman, kseifried, lmeyer, mmccomas, tchollingsworth
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: express 3.11, express 4.5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-30 13:08:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1203191, 1203192    
Bug Blocks: 1203193    

Description Martin Prpič 2015-03-18 11:31:35 UTC 
The following flaw was found in Express:

Vulnerable versions of express do not specify a charset field in the content-type heade while displaying 400 level response messages. The lack of enforcing user's browser to set correct charset, could be leveraged by an attacker to perform a cross-site scripting attack, using non-standard encodings, like UTF-7.

This flaw is fixed in version 3.11 and 4.5 of Express.

External References:

https://nodesecurity.io/advisories/express-no-charset-in-content-type-header
Comment 1 Martin Prpič 2015-03-18 11:33:07 UTC 
Created nodejs-express tracking bugs for this issue:

Affects: fedora-all [bug 1203191]
Affects: epel-6 [bug 1203192]