redonkulus
commented
1 month ago Updated the package via dependabot PR
Closed andrisecops closed 1 month ago
redonkulus
commented
1 month ago Updated the package via dependabot PR
passing untrusted user input - even after sanitizing it - to
SendStream.redirect()may execute untrusted codeThe vulnerability arises when untrusted user input is passed to the
SendStream.redirect()function, even after sanitization. This can result in the execution of untrusted code. Successful exploitation of this vulnerability requires the following conditions: 1) The attacker must control the input to response.redirect(), 2) The express framework must not redirect before the template appears, and 3) The browser must not complete redirection before the user clicks on the link in the template. The impact of this vulnerability can lead to XSS attacks, compromising the security and integrity of the application.CWE-79 CVE-2024-43799
Patches
this issue is patched in
fetchr_send0.19.0I confirm that this contribution is made under the terms of the license found in the root directory of this repository's source tree and that I have the authority necessary to make this contribution on behalf of its copyright owner.