GHSA-GPRJ-6M2F-J9HX
Vulnerability from github – Published: 2024-09-03 19:33 – Updated: 2024-09-12 21:38Pagefind initializes its dynamic JavaScript and WebAssembly files relative to the location of the first script you load. This information is gathered by looking up the value of document.currentScript.src.
It is possible to "clobber" this lookup with otherwise benign HTML on the page, for example:
<img name="currentScript" src="blob:https://xxx.xxx.xxx/ui.js"></img>
This will cause document.currentScript.src to resolve as an external domain, which will then be used by Pagefind to load dependencies.
This exploit would only work in the case that an attacker could inject HTML to your live, hosted, website. In these cases, this would act as a way to escalate the privilege available to an attacker. This assumes they have the ability to add some elements to the page (for example, img tags with a name attribute), but not others, as adding a script to the page would itself be the XSS vector.
Pagefind has tightened this resolution by ensuring the source is loaded from a valid script element. There are no reports of this being exploited in the wild via Pagefind.
Original Report
If an attacker can inject benign html, such as:
<img name="currentScript" src="blob:https://xxx.xxx.xxx/ui.js"></img>
they can clobber document.currentScript.src leading to XSS in your library.
Here is the same attack on webpack that was accepted: https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "pagefind"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@pagefind/default-ui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@pagefind/modular-ui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "pagefind"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-45389"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-03T19:33:36Z",
"nvd_published_at": "2024-09-03T20:15:08Z",
"severity": "MODERATE"
},
"details": "Pagefind initializes its dynamic JavaScript and WebAssembly files relative to the location of the first script you load. This information is gathered by looking up the value of `document.currentScript.src`.\n\nIt is possible to \"clobber\" this lookup with otherwise benign HTML on the page, for example:\n```html\n\u003cimg name=\"currentScript\" src=\"blob:https://xxx.xxx.xxx/ui.js\"\u003e\u003c/img\u003e\n```\n\nThis will cause `document.currentScript.src` to resolve as an external domain, which will then be used by Pagefind to load dependencies.\n\nThis exploit would only work in the case that an attacker could inject HTML to your live, hosted, website. In these cases, this would act as a way to escalate the privilege available to an attacker. This assumes they have the ability to add some elements to the page (for example, `img` tags with a `name` attribute), but not others, as adding a `script` to the page would itself be the XSS vector.\n\nPagefind has tightened this resolution by ensuring the source is loaded from a valid script element. There are no reports of this being exploited in the wild via Pagefind.\n\n### Original Report\n\nIf an attacker can inject benign html, such as:\n`\u003cimg name=\"currentScript\" src=\"blob:https://xxx.xxx.xxx/ui.js\"\u003e\u003c/img\u003e`\n\nthey can clobber `document.currentScript.src` leading to XSS in your library.\n\nHere is the same attack on webpack that was accepted: https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986",
"id": "GHSA-gprj-6m2f-j9hx",
"modified": "2024-09-12T21:38:09Z",
"published": "2024-09-03T19:33:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/CloudCannon/pagefind/security/advisories/GHSA-gprj-6m2f-j9hx"
},
{
"type": "WEB",
"url": "https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45389"
},
{
"type": "WEB",
"url": "https://github.com/CloudCannon/pagefind/commit/14ec96864eabaf1d7d809d5da0186a8856261eeb"
},
{
"type": "PACKAGE",
"url": "https://github.com/CloudCannon/pagefind"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "DOM clobbering could escalate to Cross-site Scripting (XSS)"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.