CVE-2024-45389

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-45389
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-45389.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-45389
Aliases
Published
2024-09-03T20:15:08Z
Modified
2024-10-12T11:30:33.419313Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Pagefind, a fully static search library, initializes its dynamic JavaScript and WebAssembly files relative to the location of the first script the user loads. This information is gathered by looking up the value of document.currentScript.src. Prior to Pagefind version 1.1.1, it is possible to "clobber" this lookup with otherwise benign HTML on the page. This will cause document.currentScript.src to resolve as an external domain, which will then be used by Pagefind to load dependencies. This exploit would only work in the case that an attacker could inject HTML to a live, hosted, website. In these cases, this would act as a way to escalate the privilege available to an attacker. This assumes they have the ability to add some elements to the page (for example, img tags with a name attribute), but not others, as adding a script to the page would itself be the cross-site scripting vector. Pagefind has tightened this resolution in version 1.1.1 by ensuring the source is loaded from a valid script element. There are no reports of this being exploited in the wild via Pagefind.

References

Affected packages

Git / github.com/cloudcannon/pagefind

Affected ranges

Type
GIT
Repo
https://github.com/cloudcannon/pagefind
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Type
GIT
Repo
https://github.com/webpack/webpack
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v0.*

v0.1.0-rc0
v0.1.0-rc1
v0.1.0-rc10
v0.1.0-rc11
v0.1.0-rc12
v0.1.0-rc2
v0.1.0-rc3
v0.1.0-rc4
v0.1.0-rc5
v0.1.0-rc6
v0.1.0-rc7
v0.1.0-rc8
v0.1.0-rc9
v0.1.1-rc13
v0.1.1-rc14
v0.1.1-rc15
v0.1.1-rc16
v0.1.1-rc17
v0.1.1-rc18
v0.1.1-rc19
v0.1.1-rc20
v0.1.1-rc21
v0.1.1-rc22
v0.1.1-rc23
v0.1.1-rc24
v0.1.1-rc25
v0.1.1-rc26
v0.1.1-rc27
v0.1.1-rc28
v0.1.1-rc29
v0.1.1-rc30
v0.1.1-rc31
v0.1.1-rc32
v0.1.1-rc33
v0.1.1-rc34
v0.1.1-rc35
v0.1.1-rc36
v0.1.1-rc37
v0.1.1-rc38
v0.1.1-rc39
v0.1.1-rc40
v0.1.1-rc41
v0.1.1-rc42
v0.10.0
v0.10.1
v0.10.2
v0.10.3
v0.10.4
v0.10.5
v0.10.6
v0.10.7
v0.11.0
v0.11.1-beta.0
v0.11.1-beta.1
v0.11.1-beta.2
v0.11.1-beta.3
v0.12.0
v0.12.0-beta.0
v0.12.0-beta.1
v0.12.0-beta.2
v0.12.0-beta.3
v0.12.1-beta.0
v0.13.0-alpha.0
v0.2.0
v0.3.0
v0.3.1
v0.3.2
v0.4.0
v0.4.1
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.6.0
v0.6.1
v0.7.0
v0.7.1
v0.8.0
v0.8.1
v0.9.0
v0.9.1
v0.9.2
v0.9.3

v1.*

v1.0.0
v1.0.0-alpha.0
v1.0.0-alpha.1
v1.0.0-alpha.10
v1.0.0-alpha.2
v1.0.0-alpha.3
v1.0.0-alpha.4
v1.0.0-alpha.5
v1.0.0-alpha.6
v1.0.0-alpha.7
v1.0.0-alpha.8
v1.0.0-alpha.9
v1.0.0-beta.0
v1.0.0-beta.1
v1.0.0-beta.2
v1.0.0-beta.3
v1.0.0-beta.4
v1.0.0-beta.5
v1.0.0-beta.6
v1.0.0-beta2
v1.0.0-beta3
v1.0.0-beta4
v1.0.0-beta5
v1.0.0-beta6
v1.0.0-beta7
v1.0.0-beta8
v1.0.0-beta9
v1.0.0-rc1
v1.0.0-rc10
v1.0.0-rc11
v1.0.0-rc12
v1.0.0-rc2
v1.0.0-rc3
v1.0.0-rc4
v1.0.0-rc5
v1.0.0-rc6
v1.0.0-rc7
v1.0.0-rc8
v1.0.0-rc9
v1.0.1
v1.0.1-rc0
v1.0.1-rc1
v1.0.2
v1.0.3
v1.0.3-rc0
v1.0.3-rc1
v1.0.4
v1.0.4-beta.0
v1.0.4-rc0
v1.0.4-rc1
v1.0.4-rc2
v1.0.5
v1.0.5-rc0
v1.0.5-rc1
v1.0.5-rc2
v1.1.0
v1.1.0-beta1
v1.1.0-beta10
v1.1.0-beta11
v1.1.0-beta12
v1.1.0-beta2
v1.1.0-beta3
v1.1.0-beta4
v1.1.0-beta5
v1.1.0-beta6
v1.1.0-beta7
v1.1.0-beta8
v1.1.0-beta9
v1.1.0-rc1
v1.1.1-alpha.0
v1.1.1-alpha.1
v1.1.1-alpha.2
v1.1.1-alpha.3
v1.1.1-alpha.4