CVE-2024-34343Cross-site Scripting in Nuxt

CWE-79Cross-site ScriptingCWE-83Improper Neutralization of Script in Attributes in a Web Page3 documents3 sources
Severity
6.1MEDIUMNVD
EPSS
0.2%
top 61.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Nuxt
Timeline
PublishedAug 5

Description

Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. The `navigateTo` function attempts to blockthe `javascript:` protocol, but does not correctly use API's provided by `unjs/ufo`. This library also contains parsing discrepancies. The function first tests to see if the specified URL has a protocol. This uses the unjs/ufo package for URL parsing. This function works effectively, and returns true for a javascript: protocol. After this, the URL is

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

NVDnuxt/nuxt< 3.12.4
npmnuxt/nuxt< 3.12.4

🔴Vulnerability Details

2
OSV
nuxt vulnerable to Cross-site Scripting in navigateTo if used after SSR2024-08-05
GHSA
nuxt vulnerable to Cross-site Scripting in navigateTo if used after SSR2024-08-05