logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-45389 @pagefind/modular-ui

Package

Manager: npm
Name: @pagefind/modular-ui
Vulnerable Version: >=0 <1.1.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0012 pctl0.31665

Details

DOM clobbering could escalate to Cross-site Scripting (XSS) Pagefind initializes its dynamic JavaScript and WebAssembly files relative to the location of the first script you load. This information is gathered by looking up the value of `document.currentScript.src`. It is possible to "clobber" this lookup with otherwise benign HTML on the page, for example: ```html <img name="currentScript" src="blob:https://xxx.xxx.xxx/ui.js"></img> ``` This will cause `document.currentScript.src` to resolve as an external domain, which will then be used by Pagefind to load dependencies. This exploit would only work in the case that an attacker could inject HTML to your live, hosted, website. In these cases, this would act as a way to escalate the privilege available to an attacker. This assumes they have the ability to add some elements to the page (for example, `img` tags with a `name` attribute), but not others, as adding a `script` to the page would itself be the XSS vector. Pagefind has tightened this resolution by ensuring the source is loaded from a valid script element. There are no reports of this being exploited in the wild via Pagefind. ### Original Report If an attacker can inject benign html, such as: `<img name="currentScript" src="blob:https://xxx.xxx.xxx/ui.js"></img>` they can clobber `document.currentScript.src` leading to XSS in your library. Here is the same attack on webpack that was accepted: https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986

Metadata

Created: 2024-09-03T19:33:36Z
Modified: 2024-09-12T21:38:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-gprj-6m2f-j9hx/GHSA-gprj-6m2f-j9hx.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-gprj-6m2f-j9hx
Finding: F008
Auto approve: 1