Lucene search

[email protected]CVE-2019-16769

HistoryDec 05, 2019 - 7:15 p.m.

CVE-2019-16769

2019-12-0519:15:15

CWE-79

[email protected]

web.nvd.nist.gov

security

xss

npm package

serialize-javascript

cve-2019-16769

node.js

nvd

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

22.9%

JSON

The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js’s implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.

Affected configurations

Vulners

NVD

Node

yahooyahoo_assistantRange<2.1.1

VendorProductVersionCPE
yahooyahoo_assistant*cpe:2.3:a:yahoo:yahoo_assistant:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
yahoo	yahoo_assistant	*	cpe:2.3:a:yahoo:yahoo_assistant::::::::

CNA Affected

[
  {
    "product": "serialize-javascript",
    "vendor": "yahoo",
    "versions": [
      {
        "lessThan": "2.1.1",
        "status": "affected",
        "version": "< 2.1.1",
        "versionType": "custom"
      }
    ]
  }
]