CVE-2024-45389

Name of the Vulnerable Software and Affected Versions: Pagefind versions prior to 1.1.1

Description: A DOM Clobbering vulnerability exists in Pagefind, allowing an attacker to inject malicious HTML and escalate privileges. This occurs when an attacker can add elements to a page, such as img tags with a name attribute, but not others, as adding a script would be an XSS vector. The vulnerability relies on the document.currentScript.src lookup being shadowed by an attacker-controlled HTML element, causing Pagefind to load dependencies from an external domain. There are no reports of this being exploited in the wild via Pagefind.

Recommendations: For Pagefind versions prior to 1.1.1, update to version 1.1.1 or later to resolve the issue. As a temporary workaround, consider restricting the ability to inject HTML elements with name attributes on pages using Pagefind.