CVE-2024-45047
MEDIUM5.4EPSS 0.38%Svelte has a potential mXSS vulnerability due to improper HTML escaping
Description
### Summary A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19. ### Details Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules: - If the string is an attribute value: - `"` -> `"` - `&` -> `&` - Other characters -> No conversion - Otherwise: - `<` -> `<` - `&` -> `&` - Other characters -> No conversion The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a `<noscript>` tag. ### PoC A vulnerable page (`+page.svelte`): ```html <script> import { page } from "$app/stores" // user input let href = $page.url.searchParams.get("href") ?? "https://example.com"; </script> <noscript> <a href={href}>test</a> </noscript> ``` If a user accesses the following URL, ``` http://localhost:4173/?href=</noscript><script>alert(123)</script> ``` then, `alert(123)` will be executed. ### Impact XSS, when using an attribute within a noscript tag
Affected packages (1)
- npm/sveltefrom 0, < 4.2.19
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |