CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43799 – send vulnerable to template injection that can lead to XSS
https://notcve.org/view.php?id=CVE-2024-43799
Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0. Send es una librería para transmitir archivos desde el sistema de archivos como una respuesta http. Send pasa la entrada de usuario no confiable a SendStream.redirect(), que ejecuta código no confiable. • https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35 https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-45296 – path-to-regexp outputs backtracking regular expressions
https://notcve.org/view.php?id=CVE-2024-45296
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. • https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6 https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j • CWE-1333: Inefficient Regular Expression Complexity •