6 matches found
CVE-2025-48939
tarteaucitron.js is a compliant and accessible cookie banner. Prior to version 1.22.0, a vulnerability was identified in tarteaucitron.js where document.currentScript was accessed without verifying that it referenced an actual element. If an attacker injected an HTML element, it could clobber the...
CVE-2025-48939
CVE-2025-48939 concerns tarteaucitron.js where, before version 1.22.0, code accessed document.currentScript without validating it was a real [removed] element. An attacker injecting HTML could cause DOM clobbering, potentially changing the script path (e.g., CDN domain). The issue stems from some...
UBUNTU-CVE-2024-53382
Prism aka PrismJS through 1.29.0 allows DOM Clobbering with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript, because document.currentScript lookup can be shadowed by attacker-injected HTML elements...
Arbitrary Code Injection
Overview org.webjars.npm:prismjs is a lightweight, robust, elegant syntax highlighting library. Affected versions of this package are vulnerable to Arbitrary Code Injection via the document.currentScript lookup process. An attacker can manipulate the web page content and execute unintended action...
Cross Site Scripting(XSS)
Vite is vulnerable to Cross Site ScriptingXSS. The vulnerability is due to improper handling of the document.currentScript lookup in Vite's script imports for cjs, iife, or umd output formats. It allows attackers to manipulate DOM elements, such as using unsanitized attributes in HTML tags, to...
GHSA-GPRJ-6M2F-J9HX DOM clobbering could escalate to Cross-site Scripting (XSS)
Pagefind initializes its dynamic JavaScript and WebAssembly files relative to the location of the first script you load. This information is gathered by looking up the value of document.currentScript.src. It is possible to "clobber" this lookup with otherwise benign HTML on the page, for example:...