svelte performance oriented web framework. A potential mXSS vulnerability exists in Svelte for versions up to but not including 4.2.19. Svelte improperly escapes HTML on server-side rendering. The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS). More specifically, this can occur when injecting malicious content into an attribute within a `noscript` tag. This issue has been addressed in release version 4.2.19. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| Link | Resource |
|---|---|
| https://github.com/sveltejs/svelte/security/advisories/GHSA-8266-84wp-wv5c | Exploit Third Party Advisory |
Configurations
History
25 Sep 2024, 19:06
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.1 |
| First Time |
Svelte svelte
Svelte |
|
| References | () https://github.com/sveltejs/svelte/security/advisories/GHSA-8266-84wp-wv5c - Exploit, Third Party Advisory | |
| CPE | cpe:2.3:a:svelte:svelte:*:*:*:*:*:node.js:*:* | |
| CWE | CWE-79 |
30 Aug 2024, 17:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2024-08-30 17:15
Updated : 2024-09-25 19:06
NVD link : CVE-2024-45047
Mitre link : CVE-2024-45047
JSON object : View
Products Affected
svelte
- svelte
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')