CVE-2014-6393

MEDIUM

Express <3.11 & <4.5 - XSS

Title source: llm

Description

The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding.

References (2)

[Issue Tracking, Third Party Advisory, VDB Entry] https://bugzilla.redhat.com/show_bug.cgi?id=1203190

[Third Party Advisory] https://nodesecurity.io/advisories/express-no-charset-in-content-type-header

Scores

CVSS v3 6.1

EPSS 0.0029

EPSS Percentile 52.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (17)

openjsf/express < 3.10.5

openjsf/express

... and 7 more

Published Aug 09, 2017

Tracked Since Feb 18, 2026