CVE-2024-37304

Name of the Vulnerable Software and Affected Versions NuGet Gallery versions prior to 2024.05.28

Description The NuGet Gallery has a security issue related to its handling of autolinks in Markdown content. It does not adequately sanitize autolinks, allowing attackers to exploit them as a vector for Cross-Site Scripting (XSS) attacks. When a user inputs a Markdown autolink, the link is rendered without proper sanitization, enabling the execution of JavaScript code within the autolink by the browser.

Recommendations For versions prior to 2024.05.28, update to version 2024.05.28 to resolve the issue. As a temporary workaround, consider disabling the rendering of Markdown autolinks until the patch is applied. Restrict access to user-inputted Markdown content to minimize the risk of exploitation. Avoid using JavaScript code within Markdown autolinks in the affected NuGet Gallery versions until the issue is resolved.