URI.js Project URI.js 1.6.2

CPE Details

URI.js Project URI.js 1.6.2
uri.js_project
uri.js
1.6.2
2021-07-21
15h01 +00:00
2022-11-29
13h42 +00:00
CPE NVD
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
Notifications manage

CPE Name: cpe:2.3:a:uri.js_project:uri.js:1.6.2:*:*:*:*:*:*:*

Informations

Vendor

uri.js_project

Product

uri.js

Version

1.6.2

Related CVE

Open and find in CVE List

CVE ID Published Description Score Severity
CVE-2022-1243 2022-04-05 13h05 +00:00 CRHTLF can lead to invalid protocol extraction potentially leading to XSS in GitHub repository medialize/uri.js prior to 1.19.11.
6.1
Medium
CVE-2022-1233 2022-04-04 17h30 +00:00 URL Confusion When Scheme Not Supplied in GitHub repository medialize/uri.js prior to 1.19.11.
6.1
Medium
CVE-2022-0868 2022-03-06 14h20 +00:00 Open Redirect in GitHub repository medialize/uri.js prior to 1.19.10.
6.1
Medium
CVE-2022-24723 2022-03-03 20h35 +00:00 URI.js is a Javascript URL mutation library. Before version 1.19.9, whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly. This issue has been patched in version 1.19.9. Removing leading whitespace from values before passing them to URI.parse can be used as a workaround.
5.3
Medium
CVE-2022-0613 2022-02-16 07h40 +00:00 Authorization Bypass Through User-Controlled Key in NPM urijs prior to 1.19.8.
6.5
Medium
CVE-2021-3647 2021-07-16 08h11 +00:00 URI.js is vulnerable to URL Redirection to Untrusted Site
6.1
Medium
CVE-2021-27516 2021-02-21 22h29 +00:00 URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash such as http:\/ and interprets the URI as a relative path.
7.5
High
CVE-2020-26291 2020-12-30 22h40 +00:00 URI.js is a javascript URL mutation library (npm package urijs). In URI.js before version 1.19.4, the hostname can be spoofed by using a backslash (`\`) character followed by an at (`@`) character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. For example the URL `https://expected-example.com\@observed-example.com` will incorrectly return `observed-example.com` if using an affected version. Patched versions correctly return `expected-example.com`. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class. Version 1.19.4 is patched against all known payload variants. Version 1.19.3 has a partial patch but is still vulnerable to a payload variant.]
6.5
Medium
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.