Skip to main content

Express CVE-2024-43796

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2024-09-10 security-advisories@github.com
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Sep 10, 2024 - 15:15 nvd
MEDIUM 4.7

DescriptionNVD

Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.

AnalysisAI

Express.js minimalist web framework for node. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0. Affected products include: Openjsf Express.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2022-24999 HIGH POC
7.5 Nov 26

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for

CVE-2026-47370 CRITICAL
9.9 Jun 12

Authenticated command injection in Ubiquiti UniFi OS allows low-privileged network-adjacent attackers to execute arbitra

CVE-2026-47369 CRITICAL
9.9 Jun 12

Privilege escalation in Ubiquiti UniFi OS allows a low-privileged attacker with network access to elevate privileges on

CVE-2024-10491 MEDIUM POC
5.3 Oct 29

A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in

CVE-2025-48997 HIGH
8.7 Jun 03

Denial of Service vulnerability in Multer (Node.js multipart form-data middleware) affecting versions 1.4.4-lts.1 throug

CVE-2026-47368 HIGH
8.6 Jun 12

Information disclosure in Ubiquiti UniFi OS devices allows unauthenticated network-adjacent attackers to read sensitive

CVE-2025-67731 HIGH
7.5 Dec 12

Servify Express, a Node.js package for starting Express servers, contains a denial of service vulnerability caused by th

CVE-2014-6393 MEDIUM
6.1 Aug 09

The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Ty

CVE-2024-29041 MEDIUM
6.1 Mar 25

Express.js minimalist web framework for node. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitab

CVE-2014-6887 MEDIUM
5.4 Oct 11

The EXPRESS (aka com.gpshopper.express.android) application 2.5.3 for Android does not verify X.509 certificates from SS

CVE-2026-27508 MEDIUM
5.1 Mar 30

Reflected cross-site scripting (XSS) in Smoothwall Express versions before 3.1 Update 13 allows unauthenticated remote a

CVE-2026-26352 MEDIUM
5.1 Mar 30

Stored cross-site scripting in Smoothwall Express prior to version 3.1 Update 13 allows authenticated attackers to injec

Share

CVE-2024-43796 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy