Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1nM2NoLXJ4NzYtMzVmeM4AA-GA

vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)

A vulnerability has been discovered in vue-template-compiler, that allows an attacker to perform XSS via prototype pollution. The attacker could change the prototype chain of some properties such as Object.prototype.staticClass or Object.prototype.staticStyle to execute arbitrary JavaScript code. Vue 2 has reached End-of-Life. This vulnerability has been patched in Vue 3.

Permalink: https://github.com/advisories/GHSA-g3ch-rx76-35fx
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nM2NoLXJ4NzYtMzVmeM4AA-GA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 4 months ago
Updated: 3 months ago

CVSS Score: 4.2
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Identifiers: GHSA-g3ch-rx76-35fx, CVE-2024-6783
References:

Blast Radius: 24.6

Affected Packages

npm:vue-template-compiler

Dependent packages: 69,989
Dependent repositories: 709,248
Downloads: 12,011,292 last month
Affected Version Ranges: >= 2.0.0, < 3.0.0
Fixed in: 3.0.0
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.5.8, 2.5.9, 2.5.10, 2.5.11, 2.5.12, 2.5.13, 2.5.14, 2.5.15, 2.5.16, 2.5.17, 2.5.18, 2.5.19, 2.5.20, 2.5.21, 2.5.22, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 2.6.10, 2.6.11, 2.6.12, 2.6.13, 2.6.14, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.7.8, 2.7.9, 2.7.10, 2.7.11, 2.7.12, 2.7.13, 2.7.14, 2.7.15, 2.7.16
All unaffected versions: 0.1.0