logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-45047 svelte

Package

Manager: npm
Name: svelte
Vulnerable Version: >=0 <4.2.19

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00113 pctl0.30616

Details

Svelte has a potential mXSS vulnerability due to improper HTML escaping ### Summary A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19. ### Details Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules: - If the string is an attribute value: - `"` -> `&quot;` - `&` -> `&amp;` - Other characters -> No conversion - Otherwise: - `<` -> `&lt;` - `&` -> `&amp;` - Other characters -> No conversion The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a `<noscript>` tag. ### PoC A vulnerable page (`+page.svelte`): ```html <script> import { page } from "$app/stores" // user input let href = $page.url.searchParams.get("href") ?? "https://example.com"; </script> <noscript> <a href={href}>test</a> </noscript> ``` If a user accesses the following URL, ``` http://localhost:4173/?href=</noscript><script>alert(123)</script> ``` then, `alert(123)` will be executed. ### Impact XSS, when using an attribute within a noscript tag

Metadata

Created: 2024-08-30T16:49:10Z
Modified: 2024-08-30T20:01:23Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-8266-84wp-wv5c/GHSA-8266-84wp-wv5c.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-8266-84wp-wv5c
Finding: F008
Auto approve: 1