You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Express.js Open Redirect in malformed URLs
Description
Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.
When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.
The main method impacted is res.location() but this is also called from within res.redirect().
Severity:
Medium
Identifiers
CWE-1035
CWE-937
webpack-dev-middleware 5.3.3 JavaScript (Yarn)
Path traversal in webpack-dev-middleware
Description
The webpack-dev-middleware middleware does not validate the supplied URL address sufficiently before returning the local file. It is possible to access any file on the developer's machine.
Severity:
High
Identifiers
CWE-22
CWE-1035
CWE-937
postcss 7.0.39 JavaScript (Yarn)
PostCSS line return parsing error
Description
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
Severity:
Medium
Identifiers
Gemnasium-7a2fe254-d605-4097-a4e3-7eafeb60045e CVE-2023-44270
The text was updated successfully, but these errors were encountered:
nth-check 1.0.2 JavaScript (Yarn)
Incorrect Comparison
Description
nth-check is vulnerable to Inefficient Regular Expression Complexity
Severity:
High
Tool: Dependency Scanning
Scanner: Gemnasium
Links
https://huntr.dev/bounties/8cf8cc06-d2cf-4b4e-b42c-99fafb0b04d0
https://nvd.nist.gov/vuln/detail/CVE-2021-3803
Identifiers
CVE-2021-3803
Gemnasium-3284fc8f-f377-4fcf-95dd-270a8b922329
Solution
Upgrade to version 2.0.1 or above.
express 4.18.2 JavaScript (Yarn)
Express.js Open Redirect in malformed URLs
Description
Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.
When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.
The main method impacted is res.location() but this is also called from within res.redirect().
Severity:
Medium
Identifiers
CWE-1035
CWE-937
webpack-dev-middleware 5.3.3 JavaScript (Yarn)
Path traversal in webpack-dev-middleware
Description
The webpack-dev-middleware middleware does not validate the supplied URL address sufficiently before returning the local file. It is possible to access any file on the developer's machine.
Severity:
High
Identifiers
CWE-22
CWE-1035
CWE-937
postcss 7.0.39 JavaScript (Yarn)
PostCSS line return parsing error
Description
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
Severity:
Medium
Identifiers
Gemnasium-7a2fe254-d605-4097-a4e3-7eafeb60045e
CVE-2023-44270
The text was updated successfully, but these errors were encountered: