URI.js Project URI.js 1.19.1

CPE Details

URI.js Project URI.js 1.19.1
uri.js_project
uri.js
1.19.1
2021-07-21
15h01 +00:00
2022-11-29
13h42 +00:00
CPE NVD
Alerte pour un CPE
Restez informé de toutes modifications pour un CPE spécifique.
Gestion des notifications

CPE Name: cpe:2.3:a:uri.js_project:uri.js:1.19.1:*:*:*:*:*:*:*

Informations

Vendor

uri.js_project

Product

uri.js

Version

1.19.1

Related CVE

Open and find in CVE List

CVE ID Publié Description Score Gravité
CVE-2022-1243 2022-04-05 13h05 +00:00 CRHTLF can lead to invalid protocol extraction potentially leading to XSS in GitHub repository medialize/uri.js prior to 1.19.11.
6.1
Moyen
CVE-2022-1233 2022-04-04 17h30 +00:00 URL Confusion When Scheme Not Supplied in GitHub repository medialize/uri.js prior to 1.19.11.
6.1
Moyen
CVE-2022-0868 2022-03-06 14h20 +00:00 Open Redirect in GitHub repository medialize/uri.js prior to 1.19.10.
6.1
Moyen
CVE-2022-24723 2022-03-03 20h35 +00:00 URI.js is a Javascript URL mutation library. Before version 1.19.9, whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly. This issue has been patched in version 1.19.9. Removing leading whitespace from values before passing them to URI.parse can be used as a workaround.
5.3
Moyen
CVE-2022-0613 2022-02-16 07h40 +00:00 Authorization Bypass Through User-Controlled Key in NPM urijs prior to 1.19.8.
6.5
Moyen
CVE-2021-3647 2021-07-16 08h11 +00:00 URI.js is vulnerable to URL Redirection to Untrusted Site
6.1
Moyen
CVE-2021-27516 2021-02-21 22h29 +00:00 URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash such as http:\/ and interprets the URI as a relative path.
7.5
Haute
CVE-2020-26291 2020-12-30 22h40 +00:00 URI.js is a javascript URL mutation library (npm package urijs). In URI.js before version 1.19.4, the hostname can be spoofed by using a backslash (`\`) character followed by an at (`@`) character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. For example the URL `https://expected-example.com\@observed-example.com` will incorrectly return `observed-example.com` if using an affected version. Patched versions correctly return `expected-example.com`. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class. Version 1.19.4 is patched against all known payload variants. Version 1.19.3 has a partial patch but is still vulnerable to a payload variant.]
6.5
Moyen
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC) sont maintenues par MITRE Corporation, et les informations sur les configurations logicielles et matérielles (CPE) proviennent du NVD.