Description
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
Recommendation
Update the webpack package to the latest compatible version. Followings are version details:
- Affected version(s): >= 5.0.0, < 5.76.0
- Patched version(s): 5.76.0
References
Related Issues
- Cross-Site-Scripting attack on `<RichTextField>` (GHSA-5jcr-82fh-339v) - CVE-2023-25572
- Vega Expression Language `scale` expression function Cross Site Scripting (GHSA-4vq7-882g-wcg4) - CVE-2023-26486
- Vega Expression Language `scale` expression function Cross Site Scripting - CVE-2023-26486
- Vega has Cross-site Scripting vulnerability in `lassoAppend` function (GHSA-w5m3-xh75-mp55) - CVE-2023-26487
- Tags:
- npm
- webpack
Anything's wrong? Let us know Last updated on October 30, 2023