CVE-2014-6393: No Charset in Content-Type Header

August 9, 2017 (updated August 18, 2017)

Express do not specify a charset field in the content-type header while displaying level response messages. The lack of enforcing user’s browser to set correct charset, could be leveraged by an attacker to perform a cross-site scripting attack, using non-standard encodings, like UTF-7.

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6393

Detect and mitigate CVE-2014-6393 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →