vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
- Severity:
- Medium
Description
A vulnerability has been discovered in vue-template-compiler, that allows an attacker to perform XSS via prototype pollution. The attacker could change the prototype chain of some properties such as Object.prototype.staticClass or Object.prototype.staticStyle to execute arbitrary JavaScript code. Vue 2 has reached End-of-Life.
Recommendation
Update the vue-template-compiler package to the latest compatible version. Followings are version details:
- Affected version(s): >= 2.0.0, < 3.0.0
- Patched version(s): 3.0.0
References
Related Issues
- Volto affected by possible DoS by invoking specific URL by anonymous user - CVE-2025-58047
- @intlify/shared Prototype Pollution vulnerability (GHSA-hjwq-mjwj-4x6c) 3 - CVE-2024-52810
- @intlify/shared Prototype Pollution vulnerability (GHSA-hjwq-mjwj-4x6c) 2 - CVE-2024-52810
- angular-base64-upload vulnerable to unauthenticated remote code execution - CVE-2024-42640
- Tags:
- npm
- vue-template-compiler
Anything's wrong? Let us know Last updated on August 30, 2024