Lucene search

GitHub_MCVE-2024-47075

HistorySep 26, 2024 - 6:15 p.m.

CVE-2024-47075

2024-09-2618:15:08

CWE-79

GitHub_M

web.nvd.nist.gov

layui

web ui library

v2.9.17

dom clobbering

xss

CVSS3

6.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H

EPSS

Percentile

9.6%

JSON

LayUI is a native minimalist modular Web UI component library. Versions prior to 2.9.17 have a DOM Clobbering vulnerability that can lead to Cross-site Scripting (XSS) on web pages where attacker-controlled HTML elements (e.g., img tags with unsanitized name attributes) are present. Version 2.9.17 fixes this issue.

Affected configurations

Vulners

Node

layuilayuiRange<2.9.17

VendorProductVersionCPE
layuilayui*cpe:2.3:a:layui:layui:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
layui	layui	*	cpe:2.3:a:layui:layui::::::::

CNA Affected

[
  {
    "vendor": "layui",
    "product": "layui",
    "versions": [
      {
        "version": "< 2.9.17",
        "status": "affected"
      }
    ]
  }
]

References

github.com/layui/layui/commit/f756b41d63bf3d488a2cb042918638c9851bf2b0

github.com/layui/layui/security/advisories/GHSA-j827-6rgf-9629

CVSS3

6.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H

EPSS

Percentile

9.6%

JSON

Related for CVE-2024-47075