Vulnerability Details : CVE-2014-6393

The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding.

–

CVSS Scores & Vulnerability Types

CVSS Score

4.3

Confidentiality Impact

None

(There is no impact to the confidentiality of the system.)

Integrity Impact

Partial

(Modification of some system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is limited.)

Availability Impact

None

(There is no impact to the availability of the system.)

Access Complexity

Medium

(The access conditions are somewhat specialized. Some preconditions must be satistified to exploit)

Authentication

Not required

(Authentication is not required to exploit the vulnerability.)

Gained Access

None

Vulnerability Type(s)

Cross Site Scripting

CWE ID
79

–

Products Affected By CVE-2014-6393

–

Number Of Affected Versions By Product

Vendor

Product

Vulnerable Versions

Openjsf
Express

15

–

References For CVE-2014-6393