Rollup is a module bundler for JavaScript. Versions prior to 3.29.5 and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from `import.meta` (e.g., `import.meta.url`) in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Versions 3.29.5 and 4.22.4 contain a patch for the vulnerability.
Metrics
Affected Vendors & Products
References
History
Mon, 23 Sep 2024 20:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
| |
Metrics |
threat_severity
|
threat_severity
|
Mon, 23 Sep 2024 16:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Rollup
Rollup rollup |
|
CPEs | cpe:2.3:a:rollup:rollup:*:*:*:*:*:*:*:* | |
Vendors & Products |
Rollup
Rollup rollup |
|
Metrics |
ssvc
|
Mon, 23 Sep 2024 15:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Rollup is a module bundler for JavaScript. Versions prior to 3.29.5 and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from `import.meta` (e.g., `import.meta.url`) in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Versions 3.29.5 and 4.22.4 contain a patch for the vulnerability. | |
Title | DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS | |
Weaknesses | CWE-79 | |
References |
|
|
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-09-23T15:26:09.313Z
Updated: 2024-09-23T15:53:25.040Z
Reserved: 2024-09-17T17:42:37.029Z
Link: CVE-2024-47068
Vulnrichment
Updated: 2024-09-23T15:53:10.610Z
NVD
Status : Awaiting Analysis
Published: 2024-09-23T16:15:06.947
Modified: 2024-09-26T13:32:55.343
Link: CVE-2024-47068
Redhat