{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-45812", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-09-09T14:23:07.505Z", "datePublished": "2024-09-17T20:08:13.372Z", "dateUpdated": "2024-09-18T13:59:14.314Z"}, "containers": {"cna": {"title": "DOM Clobbering gadget found in vite bundled scripts that leads to XSS in Vite", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3"}, {"name": "https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986", "tags": ["x_refsource_MISC"], "url": "https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986"}, {"name": "https://github.com/vitejs/vite/commit/ade1d89660e17eedfd35652165b0c26905259fad", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitejs/vite/commit/ade1d89660e17eedfd35652165b0c26905259fad"}, {"name": "https://research.securitum.com/xss-in-amp4email-dom-clobbering", "tags": ["x_refsource_MISC"], "url": "https://research.securitum.com/xss-in-amp4email-dom-clobbering"}, {"name": "https://scnps.co/papers/sp23_domclob.pdf", "tags": ["x_refsource_MISC"], "url": "https://scnps.co/papers/sp23_domclob.pdf"}], "affected": [{"vendor": "vitejs", "product": "vite", "versions": [{"version": ">= 5.4.0, < 5.4.6", "status": "affected"}, {"version": ">= 5.3.0, < 5.3.6", "status": "affected"}, {"version": ">= 5.0.0, < 5.2.14", "status": "affected"}, {"version": ">= 4.0.0, < 4.5.5", "status": "affected"}, {"version": "< 3.2.11", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-17T20:08:13.372Z"}, "descriptions": [{"lang": "en", "value": "Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to contain a DOM Clobbering vulnerability when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. We have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to `cjs`, `iife`, or `umd`. In such cases, Vite replaces relative paths starting with `__VITE_ASSET__` using the URL retrieved from `document.currentScript`. However, this implementation is vulnerable to a DOM Clobbering attack. The `document.currentScript` lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server. This vulnerability can result in cross-site scripting (XSS) attacks on websites that include Vite-bundled files (configured with an output format of `cjs`, `iife`, or `umd`) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-64vr-g452-qvp3", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "vitejs", "product": "vite", "cpes": ["cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*"], "defaultStatus": "unknown", "versions": [{"version": "5.4.0", "status": "affected", "lessThan": "5.4.6", "versionType": "custom"}, {"version": "5.3.0", "status": "affected", "lessThan": "5.3.6", "versionType": "custom"}, {"version": "5.0.0", "status": "affected", "lessThan": "5.2.14", "versionType": "custom"}, {"version": "4.0.0", "status": "affected", "lessThan": "4.5.5", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "3.2.11", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-18T13:57:07.046459Z", "id": "CVE-2024-45812", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-18T13:59:14.314Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-45812", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-18T13:57:07.046459Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*"], "vendor": "vitejs", "product": "vite", "versions": [{"status": "affected", "version": "5.4.0", "lessThan": "5.4.6", "versionType": "custom"}, {"status": "affected", "version": "5.3.0", "lessThan": "5.3.6", "versionType": "custom"}, {"status": "affected", "version": "5.0.0", "lessThan": "5.2.14", "versionType": "custom"}, {"status": "affected", "version": "4.0.0", "lessThan": "4.5.5", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "3.2.11", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-18T13:59:07.767Z"}}], "cna": {"title": "DOM Clobbering gadget found in vite bundled scripts that leads to XSS in Vite", "source": {"advisory": "GHSA-64vr-g452-qvp3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "vitejs", "product": "vite", "versions": [{"status": "affected", "version": ">= 5.4.0, < 5.4.6"}, {"status": "affected", "version": ">= 5.3.0, < 5.3.6"}, {"status": "affected", "version": ">= 5.0.0, < 5.2.14"}, {"status": "affected", "version": ">= 4.0.0, < 4.5.5"}, {"status": "affected", "version": "< 3.2.11"}]}], "references": [{"url": "https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3", "name": "https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986", "name": "https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vitejs/vite/commit/ade1d89660e17eedfd35652165b0c26905259fad", "name": "https://github.com/vitejs/vite/commit/ade1d89660e17eedfd35652165b0c26905259fad", "tags": ["x_refsource_MISC"]}, {"url": "https://research.securitum.com/xss-in-amp4email-dom-clobbering", "name": "https://research.securitum.com/xss-in-amp4email-dom-clobbering", "tags": ["x_refsource_MISC"]}, {"url": "https://scnps.co/papers/sp23_domclob.pdf", "name": "https://scnps.co/papers/sp23_domclob.pdf", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to contain a DOM Clobbering vulnerability when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. We have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to `cjs`, `iife`, or `umd`. In such cases, Vite replaces relative paths starting with `__VITE_ASSET__` using the URL retrieved from `document.currentScript`. However, this implementation is vulnerable to a DOM Clobbering attack. The `document.currentScript` lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server. This vulnerability can result in cross-site scripting (XSS) attacks on websites that include Vite-bundled files (configured with an output format of `cjs`, `iife`, or `umd`) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-17T20:08:13.372Z"}}}, "cveMetadata": {"cveId": "CVE-2024-45812", "state": "PUBLISHED", "dateUpdated": "2024-09-18T13:59:14.314Z", "dateReserved": "2024-09-09T14:23:07.505Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-09-17T20:08:13.372Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to contain a DOM Clobbering vulnerability when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. We have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to `cjs`, `iife`, or `umd`. In such cases, Vite replaces relative paths starting with `__VITE_ASSET__` using the URL retrieved from `document.currentScript`. However, this implementation is vulnerable to a DOM Clobbering attack. The `document.currentScript` lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server. This vulnerability can result in cross-site scripting (XSS) attacks on websites that include Vite-bundled files (configured with an output format of `cjs`, `iife`, or `umd`) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "id": "CVE-2024-45812", "lastModified": "2024-09-17T20:15:06.037", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-09-17T20:15:06.037", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/vitejs/vite/commit/ade1d89660e17eedfd35652165b0c26905259fad"}, {"source": "security-advisories@github.com", "url": "https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3"}, {"source": "security-advisories@github.com", "url": "https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986"}, {"source": "security-advisories@github.com", "url": "https://research.securitum.com/xss-in-amp4email-dom-clobbering"}, {"source": "security-advisories@github.com", "url": "https://scnps.co/papers/sp23_domclob.pdf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "vite: XSS via DOM Clobbering gadget found in vite bundled scripts", "id": "2312935", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312935"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H", "status": "draft"}, "cwe": "CWE-79", "details": ["Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to contain a DOM Clobbering vulnerability when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. We have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to `cjs`, `iife`, or `umd`. In such cases, Vite replaces relative paths starting with `__VITE_ASSET__` using the URL retrieved from `document.currentScript`. However, this implementation is vulnerable to a DOM Clobbering attack. The `document.currentScript` lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server. This vulnerability can result in cross-site scripting (XSS) attacks on websites that include Vite-bundled files (configured with an output format of `cjs`, `iife`, or `umd`) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "A DOM clobbering vulnerability was found in ViteJS. This may lead to cross-site scripting (XSS) attacks on websites that include Vite-bundled files configured with an output format of cjs, iife, or umd, and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-45812", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "automation-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "automation-eda-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "vite", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}], "public_date": "2024-09-17T20:15:06Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-45812\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-45812\nhttps://github.com/vitejs/vite/commit/ade1d89660e17eedfd35652165b0c26905259fad\nhttps://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3\nhttps://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986\nhttps://research.securitum.com/xss-in-amp4email-dom-clobbering\nhttps://scnps.co/papers/sp23_domclob.pdf"], "statement": "This issue is classified as moderate severity rather than important due to the specific conditions required to exploit the vulnerability. While DOM Clobbering can lead to Cross-Site Scripting (XSS), the attack surface is relatively limited. Exploitation is contingent on the presence of unsanitized user-supplied HTML with certain scriptless attributes (`name`, `id`) and the use of particular Vite build outputs (`cjs`, `iife`, `umd`). In environments following proper input sanitization practices, the risk is significantly mitigated. Moreover, the vulnerability does not enable direct code injection or compromise by default but rather leverages existing script elements, reducing the likelihood of widespread exploitation compared to higher severity issues.", "threat_severity": "Moderate"}