@astrojs/starlight (>=0.0.1 <=0.9.1), @jti/doctools (>=1.0.0 <=1.3.7) +4 more potentially affected by CVE-2024-45389 via pagefind (>=0.11.0 <=1.1.0)

pagefind NPM version =0.11.0, =0.0.1, =1.0.0, =0.0.1, =1.0.0, =0.8.0, =0.0.11, =0.0.14 Source cves: CVE-2024-45389 Source advisory: OSV:GHSA-GPRJ-6M2F-J9HX...

GHSA-GPRJ-6M2F-J9HX DOM clobbering could escalate to Cross-site Scripting (XSS)

Pagefind initializes its dynamic JavaScript and WebAssembly files relative to the location of the first script you load. This information is gathered by looking up the value of document.currentScript.src. It is possible to "clobber" this lookup with otherwise benign HTML on the page, for example:...

Pagefind 安全漏洞

Pagefind is a fully static search library open-sourced by CloudCannon. A security vulnerability exists in Pagefind version 1.1.1 and prior versions, which stems from a lookup of the document.currentScript.src value that can be overridden by other HTML elements on the page, which could lead to an...