Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qODI3LTZyZ2YtOTYyOc4AA_zC
Layui has DOM Clobbering gadgets that leads to Cross-site Scripting
Summary
A DOM Clobbering vulnerability has been discovered in layui
that can lead to Cross-site Scripting (XSS) on web pages where attacker-controlled HTML elements (e.g., img
tags with unsanitized name
attributes) are present.
It's worth noting that we’ve identifed similar issues in other popular client-side libraries like Webpack (CVE-2024-43788) and Vite (CVE-2024-45812), which might serve as valuable references.
Backgrounds
DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code snippet) living in the existing libraries to transform it into executable code.
Impact
This vulnerability can lead to cross-site scripting (XSS) on websites that uses layui
library and allow users to inject certain scriptless HTML tags with improperly sanitized name
or id
attributes.
Patch
This problem has been patched in Layui 2.9.17. You can find the official fix announcement at:
https://layui.dev/notes/share/security-currentscript.html
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qODI3LTZyZ2YtOTYyOc4AA_zC
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 6.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
EPSS Percentage: 0.00043
EPSS Percentile: 0.10511
Identifiers: GHSA-j827-6rgf-9629, CVE-2024-47075
References:
- https://github.com/layui/layui/security/advisories/GHSA-j827-6rgf-9629
- https://github.com/layui/layui/commit/f756b41d63bf3d488a2cb042918638c9851bf2b0
- https://layui.dev/notes/share/security-currentscript.html
- https://nvd.nist.gov/vuln/detail/CVE-2024-47075
- https://github.com/advisories/GHSA-j827-6rgf-9629
Blast Radius: 9.8
Affected Packages
npm:layui
Dependent packages: 17Dependent repositories: 34
Downloads: 97,351 last month
Affected Version Ranges: < 2.9.17
Fixed in: 2.9.17
All affected versions: 0.0.1, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 2.6.10, 2.6.11, 2.6.12, 2.6.13, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 2.8.9, 2.8.10, 2.8.11, 2.8.12, 2.8.13, 2.8.14, 2.8.15, 2.8.16, 2.8.17, 2.8.18, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.9.7, 2.9.8, 2.9.9, 2.9.10, 2.9.11, 2.9.12, 2.9.13, 2.9.14, 2.9.15, 2.9.16
All unaffected versions: 2.9.17, 2.9.18, 2.9.19, 2.9.20