{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-41677", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-07-18T15:21:47.486Z", "datePublished": "2024-08-06T17:52:14.648Z", "dateUpdated": "2024-08-08T19:04:29.078Z"}, "containers": {"cna": {"title": "Cross-site Scripting (XSS) vulnerability due to improper HTML escaping in qwik", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/QwikDev/qwik/security/advisories/GHSA-2rwj-7xq8-4gx4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/QwikDev/qwik/security/advisories/GHSA-2rwj-7xq8-4gx4"}, {"name": "https://github.com/QwikDev/qwik/commit/7e742eb3a1001542d795776c0317d47df8b9d64e", "tags": ["x_refsource_MISC"], "url": "https://github.com/QwikDev/qwik/commit/7e742eb3a1001542d795776c0317d47df8b9d64e"}, {"name": "https://github.com/QwikDev/qwik/blob/v1.5.5/packages/qwik/src/core/render/ssr/render-ssr.ts#L1182-L1208", "tags": ["x_refsource_MISC"], "url": "https://github.com/QwikDev/qwik/blob/v1.5.5/packages/qwik/src/core/render/ssr/render-ssr.ts#L1182-L1208"}], "affected": [{"vendor": "QwikDev", "product": "qwik", "versions": [{"version": "@builder.io/qwik: < 1.7.3", "status": "affected"}, {"version": "qwik: < 1.6.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-08-06T17:52:14.648Z"}, "descriptions": [{"lang": "en", "value": "Qwik is a performance focused javascript framework. A potential mutation XSS vulnerability exists in Qwik for versions up to but not including 1.6.0. Qwik improperly escapes HTML on server-side rendering. It converts strings according to the rules found in the `render-ssr.ts` file. It sometimes causes the situation that the final DOM tree rendered on browsers is different from what Qwik expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS). This has been resolved in qwik version 1.6.0 and @builder.io/qwik version 1.7.3. All users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-2rwj-7xq8-4gx4", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "qwikdev", "product": "qwik", "cpes": ["cpe:2.3:a:qwikdev:qwik:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.6.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-08T19:02:06.566486Z", "id": "CVE-2024-41677", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-08T19:04:29.078Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-41677", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-07-18T15:21:47.486Z", "datePublished": "2024-08-06T17:52:14.648Z", "dateUpdated": "2024-08-08T19:04:29.078Z"}, "containers": {"cna": {"title": "Cross-site Scripting (XSS) vulnerability due to improper HTML escaping in qwik", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/QwikDev/qwik/security/advisories/GHSA-2rwj-7xq8-4gx4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/QwikDev/qwik/security/advisories/GHSA-2rwj-7xq8-4gx4"}, {"name": "https://github.com/QwikDev/qwik/commit/7e742eb3a1001542d795776c0317d47df8b9d64e", "tags": ["x_refsource_MISC"], "url": "https://github.com/QwikDev/qwik/commit/7e742eb3a1001542d795776c0317d47df8b9d64e"}, {"name": "https://github.com/QwikDev/qwik/blob/v1.5.5/packages/qwik/src/core/render/ssr/render-ssr.ts#L1182-L1208", "tags": ["x_refsource_MISC"], "url": "https://github.com/QwikDev/qwik/blob/v1.5.5/packages/qwik/src/core/render/ssr/render-ssr.ts#L1182-L1208"}], "affected": [{"vendor": "QwikDev", "product": "qwik", "versions": [{"version": "@builder.io/qwik: < 1.7.3", "status": "affected"}, {"version": "qwik: < 1.6.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-08-06T17:52:14.648Z"}, "descriptions": [{"lang": "en", "value": "Qwik is a performance focused javascript framework. A potential mutation XSS vulnerability exists in Qwik for versions up to but not including 1.6.0. Qwik improperly escapes HTML on server-side rendering. It converts strings according to the rules found in the `render-ssr.ts` file. It sometimes causes the situation that the final DOM tree rendered on browsers is different from what Qwik expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS). This has been resolved in qwik version 1.6.0 and @builder.io/qwik version 1.7.3. All users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-2rwj-7xq8-4gx4", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-41677", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-08T19:02:06.566486Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:qwikdev:qwik:*:*:*:*:*:*:*:*"], "vendor": "qwikdev", "product": "qwik", "versions": [{"status": "affected", "version": "0", "lessThan": "1.6.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-08T19:04:13.675Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qwik:qwik:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "63BA82A0-A741-4CE2-B1F0-62ED741C1592", "versionEndExcluding": "1.7.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Qwik is a performance focused javascript framework. A potential mutation XSS vulnerability exists in Qwik for versions up to but not including 1.6.0. Qwik improperly escapes HTML on server-side rendering. It converts strings according to the rules found in the `render-ssr.ts` file. It sometimes causes the situation that the final DOM tree rendered on browsers is different from what Qwik expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS). This has been resolved in qwik version 1.6.0 and @builder.io/qwik version 1.7.3. All users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Qwik es un framework de JavaScript centrado en el rendimiento. Existe una vulnerabilidad XSS de mutaci\u00f3n potencial en Qwik para versiones hasta la 1.6.0, pero no incluida. Qwik escapa incorrectamente de HTML en la representaci\u00f3n del lado del servidor. Convierte cadenas de acuerdo con las reglas que se encuentran en el archivo `render-ssr.ts`. A veces causa la situaci\u00f3n en la que el \u00e1rbol DOM final renderizado en los navegadores es diferente de lo que Qwik espera en el renderizado del lado del servidor. Esto se puede aprovechar para realizar ataques XSS, y un tipo de XSS se conoce como mXSS (mutaci\u00f3n XSS). Esto se resolvi\u00f3 en qwik versi\u00f3n 1.6.0 y @builder.io/qwik versi\u00f3n 1.7.3. Se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2024-41677", "lastModified": "2024-08-12T18:51:29.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-08-06T18:15:56.883", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/QwikDev/qwik/blob/v1.5.5/packages/qwik/src/core/render/ssr/render-ssr.ts#L1182-L1208"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/QwikDev/qwik/commit/7e742eb3a1001542d795776c0317d47df8b9d64e"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/QwikDev/qwik/security/advisories/GHSA-2rwj-7xq8-4gx4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}