PT-2024-24595 · Deno · Deno
Nekzor
·
Published
2024-11-25
·
Updated
2024-11-25
·
CVE-2024-32468
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Deno versions prior to 1.41.1
Description
The issue concerns several cross-site scripting vulnerabilities in the
deno doc crate, leading to Self-XSS when using deno doc --html. Specifically, there are two vulnerabilities:- The generated
search index.jsfile usesinnerHTMLon unsanitized HTML input, and - the
deno doccomponent does not sanitize property names, method names, and enum names. The first vulnerability likely has minimal impact sincedeno doc --htmlis typically used locally with personal packages.
Recommendations
For Deno versions prior to 1.41.1, upgrade to a version newer than 1.41.1 to mitigate the risk.
As a temporary workaround, consider restricting the use of the
deno doc --html command until a patch is applied.
Avoid using the deno doc component with unsanitized input until the issue is resolved.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Deno