Lucene search

GoogleOSV:CVE-2024-24558

HistoryJan 30, 2024 - 8:15 p.m.

CVE-2024-24558

2024-01-3020:15:45

Google

osv.dev

tanstack query

cross-site scripting

npm package

version update

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

6.2 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.1%

JSON

TanStack Query supplies asynchronous state management, server-state utilities and data fetching for the web. The @tanstack/react-query-next-experimental NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this, an attacker would need to either inject malicious input or arrange to have malicious input be returned from an endpoint. To fix this issue, please update to version 5.18.0 or later.

CPENameOperatorVersion
queryeq4.29.5
queryeq5.11.0
queryeq2.10.0
queryeq5.0.0
queryeq5.14.4
queryeq3.34.2
queryeq3.24.5
queryeq3.38.1
queryeq1.4.2
queryeq4.36.0

Name	Operator	Version
query	eq	4.29.5
query	eq	5.11.0
query	eq	2.10.0
query	eq	5.0.0
query	eq	5.14.4
query	eq	3.34.2
query	eq	3.24.5
query	eq	3.38.1
query	eq	1.4.2
query	eq	4.36.0

Rows per page:

1-10 of 6161

References

github.com/TanStack/query/commit/f2ddaf2536e8b71d2da88a9310ac9a48c13512a1

github.com/TanStack/query/security/advisories/GHSA-997g-27x8-43rf

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

6.2 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.1%

JSON

Related for OSV:CVE-2024-24558