Lucene search

K
cvelistGitHub_MCVELIST:CVE-2024-23841
HistoryJan 30, 2024 - 5:14 p.m.

CVE-2024-23841 XSS in @apollo/experimental-nextjs-app-support

2024-01-3017:14:12
CWE-80
GitHub_M
www.cve.org
2
cve-2024-23841
xss
apollo client
next.js app
cross-site scripting
vulnerability
npm package
graphql server
update

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

8 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.0%

apollo-client-nextjs is the Apollo Client support for the Next.js App Router. The @apollo/experimental-apollo-client-nextjs NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this vulnerability, an attacker would need to either inject malicious input (e.g. by redirecting a user to a specifically-crafted link) or arrange to have malicious input be returned by a GraphQL server (e.g. by persisting it in a database). To fix this issue, please update to version 0.7.0 or later.

CNA Affected

[
  {
    "vendor": "apollographql",
    "product": "apollo-client-nextjs",
    "versions": [
      {
        "version": "< 0.7.0",
        "status": "affected"
      }
    ]
  }
]

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

8 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.0%

Related for CVELIST:CVE-2024-23841