Search
Find a vulnerability
Search criteria
7 vulnerabilities by medialize
CVE-2022-1243 (GCVE-0-2022-1243)
Vulnerability from cvelistv5 – Published: 2022-04-05 15:05 – Updated: 2024-08-02 23:55
VLAI
Title
CRHTLF can lead to invalid protocol extraction potentially leading to XSS in medialize/uri.js
Summary
CRHTLF can lead to invalid protocol extraction potentially leading to XSS in GitHub repository medialize/uri.js prior to 1.19.11.
Severity
7.2 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/8c5afc47-1553-4eba-a98… | x_refsource_CONFIRM |
| https://github.com/medialize/uri.js/commit/b0c979… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| medialize | medialize/uri.js |
Affected:
unspecified , < 1.19.11
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:55:24.671Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/8c5afc47-1553-4eba-a98e-024e4cc3dfb7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/medialize/uri.js/commit/b0c9796aa1a95a85f40924fb18b1e5da3dc8ffae"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "medialize/uri.js",
"vendor": "medialize",
"versions": [
{
"lessThan": "1.19.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CRHTLF can lead to invalid protocol extraction potentially leading to XSS in GitHub repository medialize/uri.js prior to 1.19.11."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-05T15:05:18.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/8c5afc47-1553-4eba-a98e-024e4cc3dfb7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/medialize/uri.js/commit/b0c9796aa1a95a85f40924fb18b1e5da3dc8ffae"
}
],
"source": {
"advisory": "8c5afc47-1553-4eba-a98e-024e4cc3dfb7",
"discovery": "EXTERNAL"
},
"title": "CRHTLF can lead to invalid protocol extraction potentially leading to XSS in medialize/uri.js",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1243",
"STATE": "PUBLIC",
"TITLE": "CRHTLF can lead to invalid protocol extraction potentially leading to XSS in medialize/uri.js"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "medialize/uri.js",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.19.11"
}
]
}
}
]
},
"vendor_name": "medialize"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CRHTLF can lead to invalid protocol extraction potentially leading to XSS in GitHub repository medialize/uri.js prior to 1.19.11."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/8c5afc47-1553-4eba-a98e-024e4cc3dfb7",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/8c5afc47-1553-4eba-a98e-024e4cc3dfb7"
},
{
"name": "https://github.com/medialize/uri.js/commit/b0c9796aa1a95a85f40924fb18b1e5da3dc8ffae",
"refsource": "MISC",
"url": "https://github.com/medialize/uri.js/commit/b0c9796aa1a95a85f40924fb18b1e5da3dc8ffae"
}
]
},
"source": {
"advisory": "8c5afc47-1553-4eba-a98e-024e4cc3dfb7",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1243",
"datePublished": "2022-04-05T15:05:18.000Z",
"dateReserved": "2022-04-05T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:55:24.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1233 (GCVE-0-2022-1233)
Vulnerability from cvelistv5 – Published: 2022-04-04 19:30 – Updated: 2024-08-02 23:55
VLAI
Title
URL Confusion When Scheme Not Supplied in medialize/uri.js
Summary
URL Confusion When Scheme Not Supplied in GitHub repository medialize/uri.js prior to 1.19.11.
Severity
6.5 (Medium)
CWE
- CWE-115 - Misinterpretation of Input
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/228d5548-1109-49f8-8ae… | x_refsource_CONFIRM |
| https://github.com/medialize/uri.js/commit/88805f… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| medialize | medialize/uri.js |
Affected:
unspecified , < 1.19.11
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:55:24.574Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/228d5548-1109-49f8-8aee-91038e88371c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/medialize/uri.js/commit/88805fd3da03bd7a5e60947adb49d182011f1277"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "medialize/uri.js",
"vendor": "medialize",
"versions": [
{
"lessThan": "1.19.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "URL Confusion When Scheme Not Supplied in GitHub repository medialize/uri.js prior to 1.19.11."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-115",
"description": "CWE-115 Misinterpretation of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-04T19:30:15.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/228d5548-1109-49f8-8aee-91038e88371c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/medialize/uri.js/commit/88805fd3da03bd7a5e60947adb49d182011f1277"
}
],
"source": {
"advisory": "228d5548-1109-49f8-8aee-91038e88371c",
"discovery": "EXTERNAL"
},
"title": "URL Confusion When Scheme Not Supplied in medialize/uri.js",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1233",
"STATE": "PUBLIC",
"TITLE": "URL Confusion When Scheme Not Supplied in medialize/uri.js"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "medialize/uri.js",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.19.11"
}
]
}
}
]
},
"vendor_name": "medialize"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "URL Confusion When Scheme Not Supplied in GitHub repository medialize/uri.js prior to 1.19.11."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-115 Misinterpretation of Input"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/228d5548-1109-49f8-8aee-91038e88371c",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/228d5548-1109-49f8-8aee-91038e88371c"
},
{
"name": "https://github.com/medialize/uri.js/commit/88805fd3da03bd7a5e60947adb49d182011f1277",
"refsource": "MISC",
"url": "https://github.com/medialize/uri.js/commit/88805fd3da03bd7a5e60947adb49d182011f1277"
}
]
},
"source": {
"advisory": "228d5548-1109-49f8-8aee-91038e88371c",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1233",
"datePublished": "2022-04-04T19:30:15.000Z",
"dateReserved": "2022-04-04T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:55:24.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0868 (GCVE-0-2022-0868)
Vulnerability from cvelistv5 – Published: 2022-03-06 15:20 – Updated: 2024-08-02 23:40
VLAI
Title
Open Redirect in medialize/uri.js
Summary
Open Redirect in GitHub repository medialize/uri.js prior to 1.19.10.
Severity
CWE
- CWE-601 - URL Redirection to Untrusted Site
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/5f4db013-64bd-4a6b-9da… | x_refsource_CONFIRM |
| https://github.com/medialize/uri.js/commit/a8166f… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| medialize | medialize/uri.js |
Affected:
unspecified , < 1.19.10
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:04.559Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/5f4db013-64bd-4a6b-9dad-870c296b0b02"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/medialize/uri.js/commit/a8166fe02f3af6dc1b2b888dcbb807155aad9509"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "medialize/uri.js",
"vendor": "medialize",
"versions": [
{
"lessThan": "1.19.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open Redirect in GitHub repository medialize/uri.js prior to 1.19.10."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-06T15:20:09.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/5f4db013-64bd-4a6b-9dad-870c296b0b02"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/medialize/uri.js/commit/a8166fe02f3af6dc1b2b888dcbb807155aad9509"
}
],
"source": {
"advisory": "5f4db013-64bd-4a6b-9dad-870c296b0b02",
"discovery": "EXTERNAL"
},
"title": "Open Redirect in medialize/uri.js",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0868",
"STATE": "PUBLIC",
"TITLE": "Open Redirect in medialize/uri.js"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "medialize/uri.js",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.19.10"
}
]
}
}
]
},
"vendor_name": "medialize"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Open Redirect in GitHub repository medialize/uri.js prior to 1.19.10."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-601 URL Redirection to Untrusted Site"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/5f4db013-64bd-4a6b-9dad-870c296b0b02",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/5f4db013-64bd-4a6b-9dad-870c296b0b02"
},
{
"name": "https://github.com/medialize/uri.js/commit/a8166fe02f3af6dc1b2b888dcbb807155aad9509",
"refsource": "MISC",
"url": "https://github.com/medialize/uri.js/commit/a8166fe02f3af6dc1b2b888dcbb807155aad9509"
}
]
},
"source": {
"advisory": "5f4db013-64bd-4a6b-9dad-870c296b0b02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0868",
"datePublished": "2022-03-06T15:20:09.000Z",
"dateReserved": "2022-03-05T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:40:04.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24723 (GCVE-0-2022-24723)
Vulnerability from cvelistv5 – Published: 2022-03-03 20:35 – Updated: 2025-04-22 18:20
VLAI
Title
Improper Input Validation in URI.js
Summary
URI.js is a Javascript URL mutation library. Before version 1.19.9, whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly. This issue has been patched in version 1.19.9. Removing leading whitespace from values before passing them to URI.parse can be used as a workaround.
Severity
5.3 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/medialize/URI.js/security/advi… | x_refsource_CONFIRM |
| https://github.com/medialize/uri.js/commit/86d105… | x_refsource_MISC |
| https://github.com/medialize/URI.js/releases/tag/… | x_refsource_MISC |
| https://huntr.dev/bounties/82ef23b8-7025-49c9-b5f… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.182Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/medialize/URI.js/security/advisories/GHSA-gmv4-r438-p67f"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/medialize/uri.js/commit/86d10523a6f6e8dc4300d99d671335ee362ad316"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/medialize/URI.js/releases/tag/v1.19.9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://huntr.dev/bounties/82ef23b8-7025-49c9-b5fc-1bb9885788e5/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24723",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:41:56.119987Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T18:20:48.760Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "URI.js",
"vendor": "medialize",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "URI.js is a Javascript URL mutation library. Before version 1.19.9, whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly. This issue has been patched in version 1.19.9. Removing leading whitespace from values before passing them to URI.parse can be used as a workaround."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-03T20:35:11.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/medialize/URI.js/security/advisories/GHSA-gmv4-r438-p67f"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/medialize/uri.js/commit/86d10523a6f6e8dc4300d99d671335ee362ad316"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/medialize/URI.js/releases/tag/v1.19.9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://huntr.dev/bounties/82ef23b8-7025-49c9-b5fc-1bb9885788e5/"
}
],
"source": {
"advisory": "GHSA-gmv4-r438-p67f",
"discovery": "UNKNOWN"
},
"title": "Improper Input Validation in URI.js",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24723",
"STATE": "PUBLIC",
"TITLE": "Improper Input Validation in URI.js"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "URI.js",
"version": {
"version_data": [
{
"version_value": "\u003c 1.19.9"
}
]
}
}
]
},
"vendor_name": "medialize"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "URI.js is a Javascript URL mutation library. Before version 1.19.9, whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly. This issue has been patched in version 1.19.9. Removing leading whitespace from values before passing them to URI.parse can be used as a workaround."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20: Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/medialize/URI.js/security/advisories/GHSA-gmv4-r438-p67f",
"refsource": "CONFIRM",
"url": "https://github.com/medialize/URI.js/security/advisories/GHSA-gmv4-r438-p67f"
},
{
"name": "https://github.com/medialize/uri.js/commit/86d10523a6f6e8dc4300d99d671335ee362ad316",
"refsource": "MISC",
"url": "https://github.com/medialize/uri.js/commit/86d10523a6f6e8dc4300d99d671335ee362ad316"
},
{
"name": "https://github.com/medialize/URI.js/releases/tag/v1.19.9",
"refsource": "MISC",
"url": "https://github.com/medialize/URI.js/releases/tag/v1.19.9"
},
{
"name": "https://huntr.dev/bounties/82ef23b8-7025-49c9-b5fc-1bb9885788e5/",
"refsource": "MISC",
"url": "https://huntr.dev/bounties/82ef23b8-7025-49c9-b5fc-1bb9885788e5/"
}
]
},
"source": {
"advisory": "GHSA-gmv4-r438-p67f",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24723",
"datePublished": "2022-03-03T20:35:11.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-22T18:20:48.760Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0613 (GCVE-0-2022-0613)
Vulnerability from cvelistv5 – Published: 2022-02-16 08:40 – Updated: 2024-08-02 23:32
VLAI
Title
Authorization Bypass Through User-Controlled Key in medialize/uri.js
Summary
Authorization Bypass Through User-Controlled Key in NPM urijs prior to 1.19.8.
Severity
5.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/f53d5c42-c108-40b8-917… | x_refsource_CONFIRM |
| https://github.com/medialize/uri.js/commit/6ea641… | x_refsource_MISC |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| medialize | medialize/uri.js |
Affected:
unspecified , < 1.19.8
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:32:46.462Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/f53d5c42-c108-40b8-917d-9dad51535083"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/medialize/uri.js/commit/6ea641cc8648b025ed5f30b090c2abd4d1a5249f"
},
{
"name": "FEDORA-2022-7cca5b6d38",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MXSSATHALUSXXD2KT6UFZAX7EG4GR332/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "medialize/uri.js",
"vendor": "medialize",
"versions": [
{
"lessThan": "1.19.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Authorization Bypass Through User-Controlled Key in NPM urijs prior to 1.19.8."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-25T18:06:11.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/f53d5c42-c108-40b8-917d-9dad51535083"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/medialize/uri.js/commit/6ea641cc8648b025ed5f30b090c2abd4d1a5249f"
},
{
"name": "FEDORA-2022-7cca5b6d38",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MXSSATHALUSXXD2KT6UFZAX7EG4GR332/"
}
],
"source": {
"advisory": "f53d5c42-c108-40b8-917d-9dad51535083",
"discovery": "EXTERNAL"
},
"title": "Authorization Bypass Through User-Controlled Key in medialize/uri.js",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0613",
"STATE": "PUBLIC",
"TITLE": "Authorization Bypass Through User-Controlled Key in medialize/uri.js"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "medialize/uri.js",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.19.8"
}
]
}
}
]
},
"vendor_name": "medialize"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Authorization Bypass Through User-Controlled Key in NPM urijs prior to 1.19.8."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-639 Authorization Bypass Through User-Controlled Key"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/f53d5c42-c108-40b8-917d-9dad51535083",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/f53d5c42-c108-40b8-917d-9dad51535083"
},
{
"name": "https://github.com/medialize/uri.js/commit/6ea641cc8648b025ed5f30b090c2abd4d1a5249f",
"refsource": "MISC",
"url": "https://github.com/medialize/uri.js/commit/6ea641cc8648b025ed5f30b090c2abd4d1a5249f"
},
{
"name": "FEDORA-2022-7cca5b6d38",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MXSSATHALUSXXD2KT6UFZAX7EG4GR332/"
}
]
},
"source": {
"advisory": "f53d5c42-c108-40b8-917d-9dad51535083",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0613",
"datePublished": "2022-02-16T08:40:09.000Z",
"dateReserved": "2022-02-15T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:32:46.462Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3647 (GCVE-0-2021-3647)
Vulnerability from cvelistv5 – Published: 2021-07-16 10:11 – Updated: 2024-08-03 17:01
VLAI
Title
Open Redirect in medialize/URI.js
Summary
URI.js is vulnerable to URL Redirection to Untrusted Site
Severity
5.3 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/1625558772840-medializ… | x_refsource_CONFIRM |
| https://github.com/medialize/URI.js/commit/ac43ca… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| medialize | medialize/URI.js |
Affected:
unspecified , ≤ 1.19.6
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:01:08.296Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/1625558772840-medialize/URI.js"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/medialize/URI.js/commit/ac43ca8f80c042f0256fb551ea5203863dec4481"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "medialize/URI.js",
"vendor": "medialize",
"versions": [
{
"lessThanOrEqual": "1.19.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "URI.js is vulnerable to URL Redirection to Untrusted Site"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-16T10:11:17.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/1625558772840-medialize/URI.js"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/medialize/URI.js/commit/ac43ca8f80c042f0256fb551ea5203863dec4481"
}
],
"source": {
"advisory": "1625558772840-medialize/URI.js",
"discovery": "EXTERNAL"
},
"title": "Open Redirect in medialize/URI.js",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-3647",
"STATE": "PUBLIC",
"TITLE": "Open Redirect in medialize/URI.js"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "medialize/URI.js",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "1.19.6"
}
]
}
}
]
},
"vendor_name": "medialize"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "URI.js is vulnerable to URL Redirection to Untrusted Site"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-601 URL Redirection to Untrusted Site"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/1625558772840-medialize/URI.js",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/1625558772840-medialize/URI.js"
},
{
"name": "https://github.com/medialize/URI.js/commit/ac43ca8f80c042f0256fb551ea5203863dec4481",
"refsource": "MISC",
"url": "https://github.com/medialize/URI.js/commit/ac43ca8f80c042f0256fb551ea5203863dec4481"
}
]
},
"source": {
"advisory": "1625558772840-medialize/URI.js",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2021-3647",
"datePublished": "2021-07-16T10:11:17.000Z",
"dateReserved": "2021-07-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T17:01:08.296Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26291 (GCVE-0-2020-26291)
Vulnerability from cvelistv5 – Published: 2020-12-30 23:40 – Updated: 2024-08-04 15:56
VLAI
Title
Hostname spoofing in URI.js
Summary
URI.js is a javascript URL mutation library (npm package urijs). In URI.js before version 1.19.4, the hostname can be spoofed by using a backslash (`\`) character followed by an at (`@`) character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. For example the URL `https://expected-example.com\@observed-example.com` will incorrectly return `observed-example.com` if using an affected version. Patched versions correctly return `expected-example.com`. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class. Version 1.19.4 is patched against all known payload variants. Version 1.19.3 has a partial patch but is still vulnerable to a payload variant.]
Severity
6.5 (Medium)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/medialize/URI.js/security/advi… | x_refsource_CONFIRM |
| https://www.npmjs.com/package/urijs | x_refsource_MISC |
| https://github.com/medialize/URI.js/releases/tag/… | x_refsource_MISC |
| https://github.com/medialize/URI.js/commit/b02bf0… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:03.814Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/medialize/URI.js/security/advisories/GHSA-3329-pjwv-fjpg"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.npmjs.com/package/urijs"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/medialize/URI.js/releases/tag/v1.19.4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/medialize/URI.js/commit/b02bf037c99ac9316b77ff8bfd840e90becf1155"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "URI.js",
"vendor": "medialize",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "URI.js is a javascript URL mutation library (npm package urijs). In URI.js before version 1.19.4, the hostname can be spoofed by using a backslash (`\\`) character followed by an at (`@`) character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. For example the URL `https://expected-example.com\\@observed-example.com` will incorrectly return `observed-example.com` if using an affected version. Patched versions correctly return `expected-example.com`. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node\u0027s built-in URL class. Version 1.19.4 is patched against all known payload variants. Version 1.19.3 has a partial patch but is still vulnerable to a payload variant.]"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-30T23:40:16.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/medialize/URI.js/security/advisories/GHSA-3329-pjwv-fjpg"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.npmjs.com/package/urijs"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/medialize/URI.js/releases/tag/v1.19.4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/medialize/URI.js/commit/b02bf037c99ac9316b77ff8bfd840e90becf1155"
}
],
"source": {
"advisory": "GHSA-3329-pjwv-fjpg",
"discovery": "UNKNOWN"
},
"title": "Hostname spoofing in URI.js",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-26291",
"STATE": "PUBLIC",
"TITLE": "Hostname spoofing in URI.js"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "URI.js",
"version": {
"version_data": [
{
"version_value": "\u003c 1.19.4"
}
]
}
}
]
},
"vendor_name": "medialize"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "URI.js is a javascript URL mutation library (npm package urijs). In URI.js before version 1.19.4, the hostname can be spoofed by using a backslash (`\\`) character followed by an at (`@`) character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. For example the URL `https://expected-example.com\\@observed-example.com` will incorrectly return `observed-example.com` if using an affected version. Patched versions correctly return `expected-example.com`. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node\u0027s built-in URL class. Version 1.19.4 is patched against all known payload variants. Version 1.19.3 has a partial patch but is still vulnerable to a payload variant.]"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/medialize/URI.js/security/advisories/GHSA-3329-pjwv-fjpg",
"refsource": "CONFIRM",
"url": "https://github.com/medialize/URI.js/security/advisories/GHSA-3329-pjwv-fjpg"
},
{
"name": "https://www.npmjs.com/package/urijs",
"refsource": "MISC",
"url": "https://www.npmjs.com/package/urijs"
},
{
"name": "https://github.com/medialize/URI.js/releases/tag/v1.19.4",
"refsource": "MISC",
"url": "https://github.com/medialize/URI.js/releases/tag/v1.19.4"
},
{
"name": "https://github.com/medialize/URI.js/commit/b02bf037c99ac9316b77ff8bfd840e90becf1155",
"refsource": "MISC",
"url": "https://github.com/medialize/URI.js/commit/b02bf037c99ac9316b77ff8bfd840e90becf1155"
}
]
},
"source": {
"advisory": "GHSA-3329-pjwv-fjpg",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-26291",
"datePublished": "2020-12-30T23:40:16.000Z",
"dateReserved": "2020-10-01T00:00:00.000Z",
"dateUpdated": "2024-08-04T15:56:03.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}