CVE-2024-45812 — Cross-site Scripting in Vite

CWE-79 — Cross-site Scripting8 documents4 sources

Severity

6.4MEDIUMNVD

GHSA6.1OSV6.1

EPSS

0.3%

top 50.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vitejs Vite Astro Layui

Timeline

PublishedSep 17

Latest updateOct 14

Description

Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to contain a DOM Clobbering vulnerability when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of no…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:HExploitability: 1.6 | Impact: 4.7

Affected Packages4 packages

▶CVEListV5vitejs/vite< 3.2.11+4

▶npmvitejs/vite5.4.0 — 5.4.6+5

▶npmastro/astro3.0.0 — 4.16.1

▶npmlayui/layui< 2.9.17

🔴Vulnerability Details

GHSA

DOM Clobbering Gadget found in astro's client-side router that leads to XSS↗2024-10-14

▶

OSV

DOM Clobbering Gadget found in astro's client-side router that leads to XSS↗2024-10-14

▶

OSV

Layui has DOM Clobbering gadgets that leads to Cross-site Scripting↗2024-09-26

▶

GHSA

Layui has DOM Clobbering gadgets that leads to Cross-site Scripting↗2024-09-26

▶

GHSA

Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS↗2024-09-17

▶

📋Vendor Advisories

Red Hat

vite: XSS via DOM Clobbering gadget found in vite bundled scripts↗2024-09-17

▶