← Voltar para CVEs

CVE-2019-16772

LOW

3.1

Descricao

The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.

Detalhes CVE

Pontuacao CVSS v3.13.1

SeveridadeLOW

Vetor CVSSCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L

Vetor de ataqueNETWORK

ComplexidadeHIGH

Privilegios necessariosLOW

Interacao do usuarioNONE

Publicado12/7/2019

Ultima modificacao11/21/2024

Fontenvd

Avistamentos honeypot0

Produtos afetados

serialize-to-js_project:serialize-to-js

Fraquezas (CWE)

CWE-79CWE-79

Referencias

https://github.com/commenthol/serialize-to-js/commit/181d7d583ae5293cd47cc99b14ad13352875f3e3(security-advisories@github.com)

https://github.com/commenthol/serialize-to-js/security/advisories/GHSA-3fjq-93xj-3f3f(security-advisories@github.com)

https://github.com/commenthol/serialize-to-js/commit/181d7d583ae5293cd47cc99b14ad13352875f3e3(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/commenthol/serialize-to-js/security/advisories/GHSA-3fjq-93xj-3f3f(af854a3a-2127-422b-91ae-364da2661108)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.