1203190 – (CVE-2014-6393) CVE-2014-6393 express: cross-site scripting via content-type header

Bug 1203190 (CVE-2014-6393) - CVE-2014-6393 express: cross-site scripting via content-type header

Summary: CVE-2014-6393 express: cross-site scripting via content-type header

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2014-6393
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1203191 1203192
Blocks:	1203193
TreeView+	depends on / blocked

Reported:	2015-03-18 11:31 UTC by Martin Prpič
Modified:	2021-02-17 05:31 UTC (History)
CC List:	11 users (show)
Fixed In Version:	express 3.11, express 4.5
Clone Of:
Environment:
Last Closed:	2015-04-30 13:08:57 UTC
Embargoed:

Attachments	(Terms of Use)

Description Martin Prpič 2015-03-18 11:31:35 UTC

The following flaw was found in Express:

Vulnerable versions of express do not specify a charset field in the content-type heade while displaying 400 level response messages. The lack of enforcing user's browser to set correct charset, could be leveraged by an attacker to perform a cross-site scripting attack, using non-standard encodings, like UTF-7.

This flaw is fixed in version 3.11 and 4.5 of Express.

External References:

https://nodesecurity.io/advisories/express-no-charset-in-content-type-header

Comment 1 Martin Prpič 2015-03-18 11:33:07 UTC

Created nodejs-express tracking bugs for this issue:

Affects: fedora-all [bug 1203191]
Affects: epel-6 [bug 1203192]

Note You need to log in before you can comment on or make changes to this bug.