Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS
- Severity:
- Medium
Description
We discovered a DOM Clobbering vulnerability in Webpack’s AutoPublicPathRuntimeModule. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.
Recommendation
Update the webpack package to the latest compatible version. Followings are version details:
- Affected version(s): >= 5.0.0-alpha.0, < 5.94.0
- Patched version(s): 5.94.0
References
- GHSA-4vvj-4cpr-p986
- research.securitum.com
- scnps.co
- CVE-2024-43788
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS - CVE-2024-45812
- DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS - CVE-2024-47068
- DOM Clobbering Gadget found in astro's client-side router that leads to XSS - CVE-2024-47885
- Layui has DOM Clobbering gadgets that leads to Cross-site Scripting - CVE-2024-47075
- Tags:
- npm
- webpack
Anything's wrong? Let us know Last updated on September 03, 2024