Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2024-47068
Good to know:
Date: September 23, 2024
Rollup is a module bundler for JavaScript. Versions prior to 3.29.5 and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from `import.meta` (e.g., `import.meta.url`) in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Versions 3.29.5 and 4.22.4 contain a patch for the vulnerability.
Language: TYPE_SCRIPT
Severity Score
Related Resources (8)
Severity Score
Weakness Type (CWE)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-79Top Fix
Upgrade Version
Upgrade to version rollup - 3.22.0;rollup - 3.3.0-0;rollup - 2.59.0;rollup - 3.18.0;rollup - 3.7.1-0;rollup - 4.22.3;rollup - 2.49.0-0;rollup - 3.7.5-0;rollup - 3.17.3-0;rollup - 2.0.0-0;rollup - 3.4.0;rollup - 3.7.3;rollup - 2.79.2;rollup - 3.29.5;rollup - 3.6.0;rollup - 3.5.0;rollup - 3.22.0;rollup - 3.20.3
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | NONE |
| User Interaction (UI): | REQUIRED |
| Scope (S): | CHANGED |
| Confidentiality (C): | LOW |
| Integrity (I): | LOW |
| Availability (A): | NONE |