Input validation error in URI.js

#VU69644 Input validation error in URI.js

Published: 2022-11-28

Vulnerability identifier: #VU69644

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-24723

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
URI.js
Web applications / Modules and components for CMS

Vendor: Medialize

Description

The vulnerability allows a remote attacker to modify application behavior.

The vulnerability exists due to insufficient validation of user-supplied input when handling whitespace characters in URL. A remote attacker can pass specially crafted input to the application and modify application behavior.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

URI.js: 1.0.0 - 1.19.8

External links
http://github.com/medialize/URI.js/security/advisories/GHSA-gmv4-r438-p67f
http://github.com/medialize/URI.js/releases/tag/v1.19.9
http://github.com/medialize/uri.js/commit/86d10523a6f6e8dc4300d99d671335ee362ad316
http://huntr.dev/bounties/82ef23b8-7025-49c9-b5fc-1bb9885788e5/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Robotic Process Automation for Cloud Pak

Multiple vulnerabilities in Red Hat Fuse

Improper input validation in URI.js