CVE-2024-43800

serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:openjsf:serve-static:*:*:*:*:*:node.js:*:*
cpe:2.3:a:openjsf:serve-static:*:*:*:*:*:node.js:*:*

History

20 Sep 2024, 17:36

Type Values Removed Values Added
References () https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b - () https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b - Patch
References () https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa - () https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa - Patch
References () https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p - () https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p - Vendor Advisory
CPE cpe:2.3:a:openjsf:serve-static:*:*:*:*:*:node.js:*:*
CVSS v2 : unknown
v3 : 5.0
v2 : unknown
v3 : 4.7
First Time Openjsf
Openjsf serve-static

10 Sep 2024, 15:50

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-10 15:15

Updated : 2024-09-20 17:36


NVD link : CVE-2024-43800

Mitre link : CVE-2024-43800

CVE.ORG link : CVE-2024-43800


JSON object : View

Products Affected

openjsf

  • serve-static
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')