CVE-2024-45389

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-45389

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-45389.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-45389

Aliases

Published

2024-09-03T20:15:08Z

Modified

2024-09-19T00:59:39.107622Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Pagefind, a fully static search library, initializes its dynamic JavaScript and WebAssembly files relative to the location of the first script the user loads. This information is gathered by looking up the value of document.currentScript.src. Prior to Pagefind version 1.1.1, it is possible to "clobber" this lookup with otherwise benign HTML on the page. This will cause document.currentScript.src to resolve as an external domain, which will then be used by Pagefind to load dependencies. This exploit would only work in the case that an attacker could inject HTML to a live, hosted, website. In these cases, this would act as a way to escalate the privilege available to an attacker. This assumes they have the ability to add some elements to the page (for example, img tags with a name attribute), but not others, as adding a script to the page would itself be the cross-site scripting vector. Pagefind has tightened this resolution in version 1.1.1 by ensuring the source is loaded from a valid script element. There are no reports of this being exploited in the wild via Pagefind.

References

Affected packages

Git / github.com/cloudcannon/pagefind

Affected ranges

Type: GIT
Repo: https://github.com/cloudcannon/pagefind
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

14ec96864eabaf1d7d809d5da0186a8856261eeb

Type: GIT
Repo: https://github.com/webpack/webpack
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

5154409d669d871540b8052c1173244cdc1a1aa1

Affected versions

v0.*

v0.1.0-rc0

v0.1.0-rc1

v0.1.0-rc10

v0.1.0-rc11

v0.1.0-rc12

v0.1.0-rc2

v0.1.0-rc3

v0.1.0-rc4

v0.1.0-rc5

v0.1.0-rc6

v0.1.0-rc7

v0.1.0-rc8

v0.1.0-rc9

v0.1.1-rc13

v0.1.1-rc14

v0.1.1-rc15

v0.1.1-rc16

v0.1.1-rc17

v0.1.1-rc18

v0.1.1-rc19

v0.1.1-rc20

v0.1.1-rc21

v0.1.1-rc22

v0.1.1-rc23

v0.1.1-rc24

v0.1.1-rc25

v0.1.1-rc26

v0.1.1-rc27

v0.1.1-rc28

v0.1.1-rc29

v0.1.1-rc30

v0.1.1-rc31

v0.1.1-rc32

v0.1.1-rc33

v0.1.1-rc34

v0.1.1-rc35

v0.1.1-rc36

v0.1.1-rc37

v0.1.1-rc38

v0.1.1-rc39

v0.1.1-rc40

v0.1.1-rc41

v0.1.1-rc42

v0.10.0

v0.10.1

v0.10.2

v0.10.3

v0.10.4

v0.10.5

v0.10.6

v0.10.7

v0.11.0

v0.11.1-beta.0

v0.11.1-beta.1

v0.11.1-beta.2

v0.11.1-beta.3

v0.12.0

v0.12.0-beta.0

v0.12.0-beta.1

v0.12.0-beta.2

v0.12.0-beta.3

v0.12.1-beta.0

v0.13.0-alpha.0

v0.2.0

v0.3.0

v0.3.1

v0.3.2

v0.4.0

v0.4.1

v0.5.0

v0.5.1

v0.5.2

v0.5.3

v0.6.0

v0.6.1

v0.7.0

v0.7.1

v0.8.0

v0.8.1

v0.9.0

v0.9.1

v0.9.2

v0.9.3

v1.*

v1.0.0

v1.0.0-alpha.0

v1.0.0-alpha.1

v1.0.0-alpha.10

v1.0.0-alpha.2

v1.0.0-alpha.3

v1.0.0-alpha.4

v1.0.0-alpha.5

v1.0.0-alpha.6

v1.0.0-alpha.7

v1.0.0-alpha.8

v1.0.0-alpha.9

v1.0.0-beta.0

v1.0.0-beta.1

v1.0.0-beta.2

v1.0.0-beta.3

v1.0.0-beta.4

v1.0.0-beta.5

v1.0.0-beta.6

v1.0.0-beta2

v1.0.0-beta3

v1.0.0-beta4

v1.0.0-beta5

v1.0.0-beta6

v1.0.0-beta7

v1.0.0-beta8

v1.0.0-beta9

v1.0.0-rc1

v1.0.0-rc10

v1.0.0-rc11

v1.0.0-rc12

v1.0.0-rc2

v1.0.0-rc3

v1.0.0-rc4

v1.0.0-rc5

v1.0.0-rc6

v1.0.0-rc7

v1.0.0-rc8

v1.0.0-rc9

v1.0.1

v1.0.1-rc0

v1.0.1-rc1

v1.0.2

v1.0.3

v1.0.3-rc0

v1.0.3-rc1

v1.0.4

v1.0.4-beta.0

v1.0.4-rc0

v1.0.4-rc1

v1.0.4-rc2

v1.0.5

v1.0.5-rc0

v1.0.5-rc1

v1.0.5-rc2

v1.1.0

v1.1.0-beta1

v1.1.0-beta10

v1.1.0-beta11

v1.1.0-beta12

v1.1.0-beta2

v1.1.0-beta3

v1.1.0-beta4

v1.1.0-beta5

v1.1.0-beta6

v1.1.0-beta7

v1.1.0-beta8

v1.1.0-beta9

v1.1.0-rc1

v1.1.1-alpha.0

v1.1.1-alpha.1

v1.1.1-alpha.2

v1.1.1-alpha.3

v1.1.1-alpha.4