Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Express XSS Sanitizer: allowedTags/allowedAttributes bypass leads to permissive sanitization (XSS risk)
Vulnerability Description
Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack. A vulnerability has been identified in versions prior to 2.0.2 where restrictive sanitization configurations are silently ignored. In version 2.0.2, the validation logic has been updated to respect explicitly provided empty configurations. Now, if allowedTags or allowedAttributes are provided (even if empty), they are passed directly to sanitize-html without being overridden.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Vulnerability Type
宽松定义的白名单
Vulnerability Title
Express XSS Sanitizer 安全漏洞
Vulnerability Description
Express XSS Sanitizer是AhmedAdelFahim个人开发者的用于清理用户输入数据(在 req.body、req.query、req.headers 和 req.params 中)以防止跨站脚本 (XSS) 攻击。 Express XSS Sanitizer 2.0.2之前版本存在安全漏洞,该漏洞源于限制性清理配置被静默忽略,可能导致跨站脚本攻击。
CVSS Information
N/A
Vulnerability Type
N/A