CVE-2024-43788

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-43788
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-43788.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-43788
Aliases
Downstream
Related
Published
2024-08-27T17:07:16Z
Modified
2025-10-17T09:49:25.441695Z
Severity
  • 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H CVSS Calculator
Summary
DOM Clobbering Gadget found in Webpack's AutoPublicPathRuntimeModule that leads to Cross-site Scripting (XSS)
Details

Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s AutoPublicPathRuntimeModule. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. Real-world exploitation of this gadget has been observed in the Canvas LMS which allows a XSS attack to happen through a javascript code compiled by Webpack (the vulnerable part is from Webpack). DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes. This issue has been addressed in release version 5.94.0. All users are advised to upgrade. There are no known workarounds for this issue.

References

Affected packages

Git / github.com/webpack/webpack

Affected ranges

Type
GIT
Repo
https://github.com/webpack/webpack
Events
Introduced
3f068c38610a1edfd6be2adf53a2dea44525cfde
Fixed
eabf85d8580dfcb876b56957ba5488222a4f7873

Affected versions

v4.*

v4.28.2
v4.28.3
v4.28.4
v4.29.0
v4.29.1
v4.29.2
v4.29.3
v4.29.4
v4.29.5
v4.29.6
v4.30.0
v4.31.0
v4.32.0
v4.32.1
v4.32.2
v4.33.0
v4.34.0
v4.35.0
v4.35.1
v4.35.2
v4.35.3
v4.36.0
v4.36.1
v4.37.0
v4.38.0
v4.39.0
v4.39.1
v4.39.2
v4.39.3
v4.40.0
v4.40.1
v4.40.2
v4.40.3
v4.41.0
v4.41.1
v4.41.2
v4.41.3
v4.41.4
v4.41.5
v4.41.6
v4.42.0

v5.*

v5.0.0
v5.0.0-alpha.0
v5.0.0-alpha.1
v5.0.0-alpha.10
v5.0.0-alpha.11
v5.0.0-alpha.12
v5.0.0-alpha.13
v5.0.0-alpha.14
v5.0.0-alpha.15
v5.0.0-alpha.16
v5.0.0-alpha.17
v5.0.0-alpha.18
v5.0.0-alpha.19
v5.0.0-alpha.2
v5.0.0-alpha.20
v5.0.0-alpha.21
v5.0.0-alpha.22
v5.0.0-alpha.23
v5.0.0-alpha.24
v5.0.0-alpha.25
v5.0.0-alpha.26
v5.0.0-alpha.27
v5.0.0-alpha.28
v5.0.0-alpha.29
v5.0.0-alpha.3
v5.0.0-alpha.30
v5.0.0-alpha.31
v5.0.0-alpha.32
v5.0.0-alpha.4
v5.0.0-alpha.5
v5.0.0-alpha.6
v5.0.0-alpha.7
v5.0.0-alpha.8
v5.0.0-alpha.9
v5.0.0-beta.0
v5.0.0-beta.1
v5.0.0-beta.10
v5.0.0-beta.11
v5.0.0-beta.12
v5.0.0-beta.13
v5.0.0-beta.14
v5.0.0-beta.15
v5.0.0-beta.16
v5.0.0-beta.17
v5.0.0-beta.18
v5.0.0-beta.19
v5.0.0-beta.2
v5.0.0-beta.20
v5.0.0-beta.21
v5.0.0-beta.22
v5.0.0-beta.23
v5.0.0-beta.24
v5.0.0-beta.25
v5.0.0-beta.26
v5.0.0-beta.27
v5.0.0-beta.28
v5.0.0-beta.29
v5.0.0-beta.3
v5.0.0-beta.30
v5.0.0-beta.31
v5.0.0-beta.32
v5.0.0-beta.33
v5.0.0-beta.4
v5.0.0-beta.5
v5.0.0-beta.6
v5.0.0-beta.7
v5.0.0-beta.8
v5.0.0-beta.9
v5.0.0-rc.0
v5.0.0-rc.1
v5.0.0-rc.2
v5.0.0-rc.3
v5.0.0-rc.4
v5.0.0-rc.5
v5.0.0-rc.6
v5.1.0
v5.1.1
v5.1.2
v5.1.3
v5.10.0
v5.10.1
v5.10.2
v5.10.3
v5.11.0
v5.11.1
v5.12.0
v5.12.1
v5.12.2
v5.12.3
v5.13.0
v5.14.0
v5.15.0
v5.16.0
v5.17.0
v5.18.0
v5.19.0
v5.2.0
v5.2.1
v5.20.0
v5.20.1
v5.20.2
v5.21.0
v5.21.2
v5.22.0
v5.23.0
v5.24.0
v5.24.1
v5.24.2
v5.24.3
v5.24.4
v5.25.0
v5.25.1
v5.26.0
v5.26.1
v5.26.2
v5.26.3
v5.27.0
v5.27.1
v5.27.2
v5.28.0
v5.29.0
v5.3.0
v5.3.1
v5.3.2
v5.30.0
v5.31.0
v5.31.1
v5.31.2
v5.32.0
v5.33.0
v5.33.1
v5.33.2
v5.34.0
v5.35.0
v5.35.1
v5.36.0
v5.36.1
v5.36.2
v5.37.0
v5.37.1
v5.38.0
v5.38.1
v5.39.0
v5.39.1
v5.4.0
v5.40.0
v5.41.0
v5.41.1
v5.42.0
v5.42.1
v5.43.0
v5.44.0
v5.45.0
v5.45.1
v5.46.0
v5.47.0
v5.47.1
v5.48.0
v5.49.0
v5.5.0
v5.5.1
v5.50.0
v5.51.0
v5.51.1
v5.51.2
v5.52.0
v5.52.1
v5.53.0
v5.54.0
v5.55.0
v5.55.1
v5.56.0
v5.56.1
v5.57.0
v5.57.1
v5.58.0
v5.58.1
v5.58.2
v5.59.0
v5.59.1
v5.6.0
v5.60.0
v5.61.0
v5.62.0
v5.62.1
v5.62.2
v5.63.0
v5.64.0
v5.64.1
v5.64.2
v5.64.3
v5.64.4
v5.65.0
v5.66.0
v5.67.0
v5.68.0
v5.69.0
v5.69.1
v5.7.0
v5.70.0
v5.71.0
v5.72.0
v5.72.1
v5.73.0
v5.74.0
v5.75.0
v5.76.0
v5.76.1
v5.76.2
v5.76.3
v5.77.0
v5.78.0
v5.79.0
v5.8.0
v5.80.0
v5.81.0
v5.82.0
v5.82.1
v5.83.0
v5.83.1
v5.84.0
v5.84.1
v5.85.0
v5.85.1
v5.86.0
v5.87.0
v5.88.0
v5.88.1
v5.88.2
v5.89.0
v5.9.0
v5.90.0
v5.90.1
v5.90.2
v5.90.3
v5.91.0
v5.92.0
v5.92.1
v5.93.0