Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2014-6393

Good to know:

icon

Date: August 9, 2017

The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding.

Language: JS

Severity Score

Related Resources (6)

https://bugzilla.redhat.com/show_bug.cgi?id=1203190
https://nvd.nist.gov/vuln/detail/CVE-2014-6393
https://github.com/advisories/GHSA-gpvr-g6gh-9mc2
https://www.npmjs.com/advisories/8
https://nodesecurity.io/advisories/express-no-charset-in-content-type-header
https://www.mend.io/vulnerability-database/CVE-2014-6393

Severity Score

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

icon

Upgrade Version

Upgrade to version yuan1994/wechat_web_devtools - 0.10.102800;jonatasavila-mercadolibre/php-sdk - 1.0.0;ephp/node - no_fix;micheldamasceno/mercadolibre - no_fix;JetBrains.Rider.Frontend6 - no_fix;JetBrains.Rider.Frontend4 - 211.0.20210324.212621-eap09;JetBrains.Rider.Frontend4 - 211.0.20210130.101832-eap01;JetBrains.Rider.Frontend4 - 203.0.20201104.111557-eap06;JetBrains.Rider.Frontend5 - 211.0.20210316.154439-eap08;JetBrains.Rider.Frontend5 - 211.0.20210713.161611;JetBrains.Rider.Frontend5 - 203.0.20201001.140309-eap02;JetBrains.Rider.Frontend5 - 213.0.20211008.154703-eap03;express - 3.11.0;express - 4.5.0;reactorcoder/symfony2-nodesocket - no_fix;reactorcoder/symfony2-nodesocket - stable;mpcmf/mpcmf-web-app - 1.0.0.x-dev;mpcmf/mpcmf-web-app - no_fix;squareproton/bond - no_fix;seyon/nodejs-chat-bundle - no_fix;tiitoo/symfony3-nodesjssocket - no_fix;tiitoo/symfony3-nodesjssocket - stable;ml-expansion/expansion - no_fix;facuramirez/mercado-libre-php-sdk - no_fix;agapito78/php-sdk - no_fix;alejoasotelo/mercadolibre-php-sdk - no_fix;crisnao2/meli - no_fix;marcelojeff/php-sdk - no_fix;ng-grid - 2.0.4;org.webjars.npm:express:4.6.1;org.webjars:browser-sync:no_fix

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): LOW
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): NONE
Confidentiality (C): NONE
Integrity (I): PARTIAL
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us