The Astro web framework has a DOM Clobbering gadget in the client-side router starting in version 3.0.0 and prior to version 4.16.1. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has *stored* attacker-controlled scriptless HTML elements (i.e., `iframe` tags with unsanitized `name` attributes) on the destination pages. This vulnerability can result in cross-site scripting (XSS) attacks on websites that built with Astro that enable the client-side routing with `ViewTransitions` and store the user-inserted scriptless HTML tags without properly sanitizing the `name` attributes on the page. Version 4.16.1 contains a patch for this issue.
Metrics
Affected Vendors & Products
References
History
Tue, 15 Oct 2024 15:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Withastro
Withastro astro |
|
CPEs | cpe:2.3:a:withastro:astro:*:*:*:*:*:*:*:* | |
Vendors & Products |
Withastro
Withastro astro |
|
Metrics |
ssvc
|
Mon, 14 Oct 2024 19:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The Astro web framework has a DOM Clobbering gadget in the client-side router starting in version 3.0.0 and prior to version 4.16.1. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has *stored* attacker-controlled scriptless HTML elements (i.e., `iframe` tags with unsanitized `name` attributes) on the destination pages. This vulnerability can result in cross-site scripting (XSS) attacks on websites that built with Astro that enable the client-side routing with `ViewTransitions` and store the user-inserted scriptless HTML tags without properly sanitizing the `name` attributes on the page. Version 4.16.1 contains a patch for this issue. | |
Title | astro's client-side router has DOM Clobbering Gadget that leads to XSS | |
Weaknesses | CWE-79 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-10-14T19:06:09.681Z
Updated: 2024-10-15T14:51:20.142Z
Reserved: 2024-10-04T16:00:09.631Z
Link: CVE-2024-47885
Vulnrichment
Updated: 2024-10-15T14:51:11.195Z
NVD
Status : Awaiting Analysis
Published: 2024-10-14T19:15:10.903
Modified: 2024-10-15T12:57:46.880
Link: CVE-2024-47885
Redhat
No data.