Vulnerability

CVE-2024-10491

Report advisory or correction

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE

CWE-74

References

https://www.herodevs.com/vulnerability-directory/cve-2024-10491

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-10491

[CVE-2024-10491] CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Description

A vulnerability has been identified in the Express response.links�function, allowing for arbitrary resource injection in the Link�header when unsanitized data is used. The issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `<>` to preload malicious resources. This vulnerability is especially relevant for dynamic parameters.

Deviation Notice:

Sonatype's research suggests that this CVE's details differ from those defined at NVD or other reporting sources; sign in for details.

Sign up and see:

Detailed deviation notices:

Detailed deviations
References
Custom Descriptions [Coming Soon]