CVE-2014-6393
EUVD-2018-060309.08.2017, 18:29
The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| openjsf | express | 𝑥 ≤ 3.10.5 |
| openjsf | express | 4.0.0 |
| openjsf | express | 4.1.0 |
| openjsf | express | 4.1.1 |
| openjsf | express | 4.1.2 |
| openjsf | express | 4.2.0 |
| openjsf | express | 4.3.0 |
| openjsf | express | 4.3.1 |
| openjsf | express | 4.3.2 |
| openjsf | express | 4.4.0 |
| openjsf | express | 4.4.1 |
| openjsf | express | 4.4.2 |
| openjsf | express | 4.4.3 |
| openjsf | express | 4.4.4 |
| openjsf | express | 4.4.5 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Ubuntu Product | |||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| node-express |
|