CVE-2024-45812
published 2024-09-17CVE-2024-45812: Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to contain a DOM Clobbering vulnerability when building…
PriorityP433medium6.4CVSS 3.1
AVNACHPRLUINSUCLILAH
EPSS
0.64%
45.9th percentile
Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to contain a DOM Clobbering vulnerability when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. We have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to `cjs`, `iife`, or `umd`. In such cases, Vite replaces relative paths starting with `__VITE_ASSET__` using the URL retrieved from `document.currentScript`. However, this implementation is vulnerable to a DOM Clobbering attack. The `document.currentScript` lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server. This vulnerability can result in cross-site scripting (XSS) attacks on websites that include Vite-bundled files (configured with an output format of `cjs`, `iife`, or `umd`) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known w
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| astro | astro | >= 3.0.0 < 4.16.1 | 4.16.1 |
| layui | layui | >= 0 < 2.9.17 | 2.9.17 |
| vitejs | vite | < 3.2.11 | 3.2.11 |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | >= 0 < 3.2.11 | 3.2.11 |
| vitejs | vite | >= 4.0.0 < 4.5.4 | 4.5.4 |
| vitejs | vite | >= 5.0.0 < 5.1.8 | 5.1.8 |
| vitejs | vite | >= 5.2.0 < 5.2.14 | 5.2.14 |
| vitejs | vite | >= 5.3.0 < 5.3.6 | 5.3.6 |
| vitejs | vite | >= 5.4.0 < 5.4.6 | 5.4.6 |
CVSS provenance
nvdv3.16.4MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
ghsa6.1MEDIUM
osv6.1MEDIUM
vendor_redhat6.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
DOM Clobbering Gadget found in astro's client-side router that leads to XSS
ghsa·2024-10-14
CVE-2024-47885 [MEDIUM] CWE-79 DOM Clobbering Gadget found in astro's client-side router that leads to XSS
DOM Clobbering Gadget found in astro's client-side router that leads to XSS
### Summary
A DOM Clobbering gadget has been discoverd in Astro's client-side router. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has *stored* attacker-controlled scriptless HTML elements (i.e., `iframe` tags with unsanitized `name` attributes) on the destination pages.
### Details
#### Backgrounds
DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references
OSV
DOM Clobbering Gadget found in astro's client-side router that leads to XSS
osv·2024-10-14
CVE-2024-47885 [MEDIUM] DOM Clobbering Gadget found in astro's client-side router that leads to XSS
DOM Clobbering Gadget found in astro's client-side router that leads to XSS
### Summary
A DOM Clobbering gadget has been discoverd in Astro's client-side router. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has *stored* attacker-controlled scriptless HTML elements (i.e., `iframe` tags with unsanitized `name` attributes) on the destination pages.
### Details
#### Backgrounds
DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references
OSV
Layui has DOM Clobbering gadgets that leads to Cross-site Scripting
osv·2024-09-26·CVSS 6.1
CVE-2024-47075 [MEDIUM] Layui has DOM Clobbering gadgets that leads to Cross-site Scripting
Layui has DOM Clobbering gadgets that leads to Cross-site Scripting
### Summary
A DOM Clobbering vulnerability has been discovered in `layui` that can lead to Cross-site Scripting (XSS) on web pages where attacker-controlled HTML elements (e.g., `img` tags with unsanitized `name` attributes) are present.
It's worth noting that we’ve identifed similar issues in other popular client-side libraries like Webpack ([CVE-2024-43788](https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986)) and Vite ([CVE-2024-45812](https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3)), which might serve as valuable references.
### Backgrounds
DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups
GHSA
Layui has DOM Clobbering gadgets that leads to Cross-site Scripting
ghsa·2024-09-26·CVSS 6.1
CVE-2024-47075 [MEDIUM] CWE-79 Layui has DOM Clobbering gadgets that leads to Cross-site Scripting
Layui has DOM Clobbering gadgets that leads to Cross-site Scripting
### Summary
A DOM Clobbering vulnerability has been discovered in `layui` that can lead to Cross-site Scripting (XSS) on web pages where attacker-controlled HTML elements (e.g., `img` tags with unsanitized `name` attributes) are present.
It's worth noting that we’ve identifed similar issues in other popular client-side libraries like Webpack ([CVE-2024-43788](https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986)) and Vite ([CVE-2024-45812](https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3)), which might serve as valuable references.
### Backgrounds
DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups
GHSA
Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS
ghsa·2024-09-17
CVE-2024-45812 [MEDIUM] CWE-79 Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS
Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS
### Summary
We discovered a DOM Clobbering vulnerability in Vite when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.
Note that, we have identified similar security issues in Webpack: https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986
### Details
**Backgrounds**
DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of
OSV
Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS
osv·2024-09-17
CVE-2024-45812 [MEDIUM] Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS
Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS
### Summary
We discovered a DOM Clobbering vulnerability in Vite when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.
Note that, we have identified similar security issues in Webpack: https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986
### Details
**Backgrounds**
DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of
Red Hat
vite: XSS via DOM Clobbering gadget found in vite bundled scripts
vendor_redhat·2024-09-17·CVSS 6.4
CVE-2024-45812 [MEDIUM] CWE-79 vite: XSS via DOM Clobbering gadget found in vite bundled scripts
vite: XSS via DOM Clobbering gadget found in vite bundled scripts
Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to contain a DOM Clobbering vulnerability when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. We have identified a D
No detection rules found.
No public exploits indexed.
https://github.com/vitejs/vite/commit/ade1d89660e17eedfd35652165b0c26905259fadhttps://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986https://research.securitum.com/xss-in-amp4email-dom-clobberinghttps://scnps.co/papers/sp23_domclob.pdf
2024-09-17
Published