Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-45047
Summary
Svelte is a performance-oriented web framework. A potential mXSS vulnerability exists in Svelte for versions through 4.2.18, 5.0.0-next.1 through 5.0.0-next.120. Svelte improperly escapes HTML during server-side rendering. The assumption is that attributes will always remain as such, but in some situations, the final DOM tree rendered in browsers differs from what Svelte expects during server-side rendering. This may be leveraged to perform XSS attacks, specifically a type known as mXSS (mutation XSS). More specifically, this can occur when injecting malicious content into an attribute within a "noscript" tag. Users are advised to upgrade, as no known workarounds exist for this vulnerability.
- LOW
- NETWORK
- LOW
- CHANGED
- REQUIRED
- NONE
- LOW
- NONE
CWE-79 - Cross Site Scripting
Cross-Site Scripting, commonly referred to as XSS, is the most dominant class of vulnerabilities. It allows an attacker to inject malicious code into a pregnable web application and victimize its users. The exploitation of such a weakness can cause severe issues such as account takeover, and sensitive data exfiltration. Because of the prevalence of XSS vulnerabilities and their high rate of exploitation, it has remained in the OWASP top 10 vulnerabilities for years.
References
Advisory Timeline
- Published