NuytsTech Security

CVE-2024-10491

by ·

A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used.

The issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `<>` to preload malicious resources.

This vulnerability is especially relevant for dynamic parameters.

More information : https://www.herodevs.com/vulnerability-directory/cve-2024-10491

Attack vector : NETWORK
Attack complexity : LOW
Privileges required : NONE
User interaction : NONE
Confidentiality impact : NONE
Integrity impact : LOW
Base score : 5.3
Base severity : MEDIUM
Exploitability score : 3.9
Impact score : 1.4

Tags: