Rollup is a module bundler for JavaScript. Versions prior to 2.79.2, 3.29.5, and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from `import.meta` (e.g., `import.meta.url`) in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Versions 2.79.2, 3.29.5, and 4.22.4 contain a patch for the vulnerability.
Metrics
Affected Vendors & Products
References
History
Thu, 12 Dec 2024 02:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Redhat
Redhat openshift Distributed Tracing |
|
CPEs | cpe:/a:redhat:openshift_distributed_tracing:3.4::el8 | |
Vendors & Products |
Redhat
Redhat openshift Distributed Tracing |
Tue, 29 Oct 2024 15:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Rollup is a module bundler for JavaScript. Versions prior to 3.29.5 and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from `import.meta` (e.g., `import.meta.url`) in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Versions 3.29.5 and 4.22.4 contain a patch for the vulnerability. | Rollup is a module bundler for JavaScript. Versions prior to 2.79.2, 3.29.5, and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from `import.meta` (e.g., `import.meta.url`) in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Versions 2.79.2, 3.29.5, and 4.22.4 contain a patch for the vulnerability. |
Mon, 30 Sep 2024 18:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Rollupjs
Rollupjs rollup |
|
CPEs | cpe:2.3:a:rollupjs:rollup:*:*:*:*:*:node.js:*:* | |
Vendors & Products |
Rollupjs
Rollupjs rollup |
Mon, 23 Sep 2024 20:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
| |
Metrics |
threat_severity
|
threat_severity
|
Mon, 23 Sep 2024 16:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Rollup
Rollup rollup |
|
CPEs | cpe:2.3:a:rollup:rollup:*:*:*:*:*:*:*:* | |
Vendors & Products |
Rollup
Rollup rollup |
|
Metrics |
ssvc
|
Mon, 23 Sep 2024 15:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Rollup is a module bundler for JavaScript. Versions prior to 3.29.5 and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from `import.meta` (e.g., `import.meta.url`) in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Versions 3.29.5 and 4.22.4 contain a patch for the vulnerability. | |
Title | DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS | |
Weaknesses | CWE-79 | |
References |
|
|
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-09-23T15:26:09.313Z
Updated: 2024-10-29T15:16:32.075Z
Reserved: 2024-09-17T17:42:37.029Z
Link: CVE-2024-47068
Vulnrichment
Updated: 2024-09-23T15:53:10.610Z
NVD
Status : Modified
Published: 2024-09-23T16:15:06.947
Modified: 2024-10-29T16:15:05.583
Link: CVE-2024-47068
Redhat