CVE-2024-45812

Name of the Vulnerable Software and Affected Versions: Vite versions prior to 3.2.11 Vite versions prior to 4.5.5 Vite versions prior to 5.2.14 Vite versions prior to 5.3.6 Vite versions prior to 5.4.6

Description: A DOM Clobbering vulnerability was discovered in Vite when building scripts to cjs/iife/umd output format. This vulnerability can lead to cross-site scripting (XSS) attacks on websites that include Vite-bundled files and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes. The vulnerability occurs when an attacker embeds a piece of non-script, seemingly benign HTML markups in the webpage, and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. The document.currentScript lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism, allowing an attacker to replace the intended script element with a malicious HTML element. This can result in the dynamic loading of scripts from an attacker-controlled server.

Recommendations: For versions prior to 3.2.11, update to version 3.2.11 or later. For versions prior to 4.5.5, update to version 4.5.5 or later. For versions prior to 5.2.14, update to version 5.2.14 or later. For versions prior to 5.3.6, update to version 5.3.6 or later. For versions prior to 5.4.6, update to version 5.4.6 or later.