#VU49301 Input validation error in urijs - CVE-2020-26291

Cybersecurity Help s.r.o.

Published: 2020-12-31 | Updated: 2021-01-06

Vulnerability identifier: #VU49301

Vulnerability risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-26291

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
urijs
Web applications / Modules and components for CMS

Vendor: True Push

Description

The vulnerability allows a remote attacker to perform spoofing attacks.

The vulnerability exists due to insufficient validation of user-supplied hostname. the hostname can be spoofed by using a backslash (\) character followed by an at (@) character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

urijs: 1.16.1 - 1.19.3

External links
https://github.com/medialize/URI.js/commit/b02bf037c99ac9316b77ff8bfd840e90becf1155
https://github.com/medialize/URI.js/releases/tag/v1.19.4
https://github.com/medialize/URI.js/security/advisories/GHSA-3329-pjwv-fjpg
https://www.npmjs.com/package/urijs

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Input validation error in URI.js