4.3

CVE-2018-12123

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NodejsNode.Js SwEditionlts Version >= 6.0.0 < 6.15.0
NodejsNode.Js SwEditionlts Version >= 8.0.0 < 8.14.0
NodejsNode.Js SwEditionlts Version >= 10.0.0 < 10.14.0
NodejsNode.Js SwEdition- Version >= 11.0.0 < 11.3.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 4.7% 0.889
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-115 Misinterpretation of Input

The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.