Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS
- Severity:
- Medium
Description
We discovered a DOM Clobbering vulnerability in Vite when building scripts to cjs/iife/umd output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.
Recommendation
Update the vite package to the latest compatible version. Followings are version details:
Affected version(s): **>= 5.0.0, < 5.1.8 < 3.2.11 >= 5.2.0, < 5.2.14 >= 5.3.0, < 5.3.6 >= 5.4.0, < 5.4.6 >= 4.0.0, < 4.5.4** Patched version(s): **5.1.8 3.2.11 5.2.14 5.3.6 5.4.6 4.5.4**
References
- GHSA-64vr-g452-qvp3
- research.securitum.com
- scnps.co
- CVE-2024-45812
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS - CVE-2024-47068
- DOM Clobbering Gadget found in astro's client-side router that leads to XSS - CVE-2024-47885
- Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS - CVE-2024-43788
- DOM Clobbering Gadget found in Rspack's AutoPublicPathRuntimeModule that leads to XSS - Vulnerability
- Tags:
- npm
- vite
Anything's wrong? Let us know Last updated on September 19, 2024