Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS
- Severity:
- Medium
Description
We discovered a DOM Clobbering vulnerability in Webpack’s AutoPublicPathRuntimeModule. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.
Recommendation
Update the webpack package to the latest compatible version. Followings are version details:
- Affected version(s): >= 5.0.0-alpha.0, < 5.94.0
- Patched version(s): 5.94.0
References
- GHSA-4vvj-4cpr-p986
- research.securitum.com
- scnps.co
- CVE-2024-43788
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- @plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user - CVE-2025-61668
- Systeminformation has command injection vulnerability in getWindowsIEEE8021x (SSID) - CVE-2024-56334
- @workos-inc/authkit-nextjs refresh tokens are logged when the debug flag is enabled - CVE-2024-51752
- @fastify/oauth2 vulnerable to Cross Site Request Forgery due to reused Oauth2 state - CVE-2023-31999
- Tags:
- npm
- webpack
Anything's wrong? Let us know Last updated on September 03, 2024