CVE-2024-32468Cross-site Scripting in Deno

CWE-79Cross-site Scripting3 documents3 sources
Severity
5.4MEDIUMNVD
EPSS
0.1%
top 74.37%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Denoland Deno
Timeline
PublishedNov 25

Description

Deno is a runtime for JavaScript and TypeScript written in rust. Several cross-site scripting vulnerabilities existed in the `deno_doc` crate which lead to Self-XSS with deno doc --html. 1.) XSS in generated `search_index.js`, `deno_doc` outputs a JavaScript file for searching. However, the generated file used `innerHTML` on unsanitzed HTML input. 2.) XSS via property, method and enum names, `deno_doc` did not sanitize property names, method names and enum names. The first XSS most likely didn't

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages1 packages

CVEListV5denoland/denodeno: < 1.42.0, deno_doc: < 0.119.0+1

🔴Vulnerability Details

2
OSV
deno_doc's HTML generator vulnerable to Cross-site Scripting2024-11-25
GHSA
deno_doc's HTML generator vulnerable to Cross-site Scripting2024-11-25