Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-47885
Summary
The Astro web framework has a DOM Clobbering gadget in the client-side router starting in versions 3.2.0 through 4.16.0 and 5.0.0-alpha.0 through 5.0.0-beta.4. It can lead to Cross-site Scripting (XSS) in websites that enable Astro's client-side routing and have stored attacker-controlled scriptless HTML elements (i.e., 'iframe' tags with unsanitized 'name' attributes) on the destination pages. This vulnerability can result in cross-site scripting (XSS) attacks on websites that are built with Astro that enable client-side routing with 'ViewTransitions' and store the user-inserted scriptless HTML tags without properly sanitizing the 'name' attributes on the page.
- LOW
- NETWORK
- LOW
- CHANGED
- REQUIRED
- LOW
- LOW
- NONE
CWE-79 - Cross Site Scripting
Cross-Site Scripting, commonly referred to as XSS, is the most dominant class of vulnerabilities. It allows an attacker to inject malicious code into a pregnable web application and victimize its users. The exploitation of such a weakness can cause severe issues such as account takeover, and sensitive data exfiltration. Because of the prevalence of XSS vulnerabilities and their high rate of exploitation, it has remained in the OWASP top 10 vulnerabilities for years.
References
Advisory Timeline
- Published
