CVE-2024-47068

Rollup is a module bundler for JavaScript. Versions prior to 2.79.2, 3.29.5, and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from `import.meta` (e.g., `import.meta.url`) in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Versions 2.79.2, 3.29.5, and 4.22.4 contain a patch for the vulnerability.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:rollupjs:rollup:*:*:*:*:*:node.js:*:*
cpe:2.3:a:rollupjs:rollup:*:*:*:*:*:node.js:*:*
cpe:2.3:a:rollupjs:rollup:*:*:*:*:*:node.js:*:*

History

29 Oct 2024, 16:15

Type Values Removed Values Added
Summary (en) Rollup is a module bundler for JavaScript. Versions prior to 3.29.5 and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from `import.meta` (e.g., `import.meta.url`) in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Versions 3.29.5 and 4.22.4 contain a patch for the vulnerability. (en) Rollup is a module bundler for JavaScript. Versions prior to 2.79.2, 3.29.5, and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from `import.meta` (e.g., `import.meta.url`) in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Versions 2.79.2, 3.29.5, and 4.22.4 contain a patch for the vulnerability.

30 Sep 2024, 17:39

Type Values Removed Values Added
References () https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162 - () https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162 - Product
References () https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185 - () https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185 - Product
References () https://github.com/rollup/rollup/commit/2ef77c00ec2635d42697cff2c0567ccc8db34fb4 - () https://github.com/rollup/rollup/commit/2ef77c00ec2635d42697cff2c0567ccc8db34fb4 - Patch
References () https://github.com/rollup/rollup/commit/e2552c9e955e0a61f70f508200ee9f752f85a541 - () https://github.com/rollup/rollup/commit/e2552c9e955e0a61f70f508200ee9f752f85a541 - Patch
References () https://github.com/rollup/rollup/security/advisories/GHSA-gcx4-mw62-g8wm - () https://github.com/rollup/rollup/security/advisories/GHSA-gcx4-mw62-g8wm - Exploit, Vendor Advisory
First Time Rollupjs
Rollupjs rollup
CPE cpe:2.3:a:rollupjs:rollup:*:*:*:*:*:node.js:*:*

26 Sep 2024, 13:32

Type Values Removed Values Added
Summary
  • (es) Rollup es un empaquetador de módulos para JavaScript. Las versiones anteriores a 3.29.5 y 4.22.4 son susceptibles a una vulnerabilidad de DOM Clobbering al agrupar scripts con propiedades de `import.meta` (por ejemplo, `import.meta.url`) en formato `cjs`/`umd`/`iife`. El gadget DOM Clobbering puede provocar cross-site scripting (XSS) en páginas web donde hay elementos HTML sin scripts controlados por atacantes (por ejemplo, una etiqueta `img` con un atributo `name` no saneado). Las versiones 3.29.5 y 4.22.4 contienen un parche para la vulnerabilidad.

23 Sep 2024, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-23 16:15

Updated : 2024-10-29 16:15


NVD link : CVE-2024-47068

Mitre link : CVE-2024-47068

CVE.ORG link : CVE-2024-47068


JSON object : View

Products Affected

rollupjs

  • rollup
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')