CVE-2024-45389

EPSS 1.22%
Veröffentlicht 03.09.2024 20:15:08
Zuletzt bearbeitet 14.10.2025 14:44:29
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Pagefind, a fully static search library, initializes its dynamic JavaScript and WebAssembly files relative to the location of the first script the user loads. This information is gathered by looking up the value of `document.currentScript.src`. Prior to Pagefind version 1.1.1, it is possible to "clobber" this lookup with otherwise benign HTML on the page. This will cause `document.currentScript.src` to resolve as an external domain, which will then be used by Pagefind to load dependencies. This exploit would only work in the case that an attacker could inject HTML to a live, hosted, website. In these cases, this would act as a way to escalate the privilege available to an attacker. This assumes they have the ability to add some elements to the page (for example, `img` tags with a `name` attribute), but not others, as adding a `script` to the page would itself be the cross-site scripting vector. Pagefind has tightened this resolution in version 1.1.1 by ensuring the source is loaded from a valid script element. There are no reports of this being exploited in the wild via Pagefind.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Pagefind ≫ Pagefind Version < 1.1.1

Pagefind ≫ Pagefind Version1.1.1 Updatealpha0

Pagefind ≫ Pagefind Version1.1.1 Updatealpha1

Pagefind ≫ Pagefind Version1.1.1 Updatealpha2

Pagefind ≫ Pagefind Version1.1.1 Updatealpha3

Pagefind ≫ Pagefind Version1.1.1 Updatealpha4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.22%	0.786

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	6.4	1.6	4.7	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986

Not Applicable

https://github.com/CloudCannon/pagefind/commit/14ec96864eabaf1d7d809d5da0186a8856261eeb

Patch

https://github.com/CloudCannon/pagefind/security/advisories/GHSA-gprj-6m2f-j9hx

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-45389

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-45389

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-45389

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-45389