CVE-2024-43796

Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
GitHub_MCNA
5 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 20%
VendorProductVersion
openjsfexpress
𝑥
< 4.20.0
openjsfexpress
5.0.0:alpha1
openjsfexpress
5.0.0:alpha2
openjsfexpress
5.0.0:alpha3
openjsfexpress
5.0.0:alpha4
openjsfexpress
5.0.0:alpha5
openjsfexpress
5.0.0:alpha6
openjsfexpress
5.0.0:alpha7
openjsfexpress
5.0.0:alpha8
openjsfexpress
5.0.0:beta1
openjsfexpress
5.0.0:beta2
openjsfexpress
5.0.0:beta3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
node-express
bullseye
postponed
bookworm
no-dsa
trixie
4.21.2+~cs8.36.27-2
fixed
forky
5.1.0+~cs12.3.3-1
fixed
sid
5.1.0+~cs12.3.3-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
node-express
questing
not-affected
plucky
not-affected
oracular
Fixed 4.19.2+~cs8.36.26-1ubuntu0.1
released
noble
Fixed 4.19.2+~cs8.36.21-1ubuntu0.1~esm1
released
jammy
Fixed 4.17.3+~4.17.13-1ubuntu0.1~esm1
released
focal
Fixed 4.17.1-2ubuntu0.1~esm1
released
bionic
Fixed 4.1.1~dfsg-1ubuntu0.18.04.1~esm1
released
xenial
Fixed 4.1.1~dfsg-1ubuntu0.16.04.1~esm1
released
Common Weakness Enumeration
References
https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553
https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx