Plataforma
nodejs
Componente
vue-template-compiler
Corrigido em
2.7.17
A Cross-Site Scripting (XSS) vulnerability has been identified in vue-template-compiler, a component used for compiling Vue.js templates. This vulnerability allows attackers to inject malicious JavaScript code through prototype pollution, potentially leading to unauthorized actions or data theft. The vulnerability affects versions prior to 2.7.17, and a patch is available in Vue 3.
The vulnerability stems from the ability to manipulate the prototype chain of properties like Object.prototype.staticClass or Object.prototype.staticStyle. By injecting malicious code into these properties, an attacker can hijack the execution flow of the Vue.js application and execute arbitrary JavaScript within the user's browser context. This could lead to session hijacking, defacement of the website, or the theft of sensitive user data. Given Vue's widespread use in web applications, exploitation of this vulnerability could have a significant impact.
This vulnerability was publicly disclosed on July 23, 2024. While no active exploitation campaigns have been confirmed, the availability of a proof-of-concept could lead to opportunistic attacks. Given the widespread use of Vue.js, it is crucial to apply the patch promptly. The vulnerability is not currently listed on CISA KEV.
Applications using versions of vue-template-compiler prior to 2.7.17 are at risk, particularly those that process user-supplied data without proper sanitization. Projects relying on older Vue.js versions that haven't been actively maintained are also at increased risk.
• nodejs / supply-chain:
npm list vue-template-compiler• nodejs / supply-chain:
npm audit vue-template-compiler• nodejs / supply-chain:
grep -r 'Object.prototype.staticClass' node_modules/vue-template-compilerdisclosure
Status do Exploit
EPSS
0.31% (percentil 54%)
CISA SSVC
Vetor CVSS
The primary mitigation is to upgrade to Vue 2.7.17 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on user-supplied data to prevent prototype pollution. Web Application Firewalls (WAFs) configured to detect and block prototype pollution attempts can also provide a temporary layer of protection. Monitor application logs for unusual activity related to prototype modifications.
Actualice Vue a una versión posterior a 2.7.16. Esto solucionará la vulnerabilidad de Cross-Site Scripting (XSS) causada por la contaminación del prototipo. Asegúrese de probar la aplicación después de la actualización para verificar que no haya problemas de compatibilidad.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-6783 is a Cross-Site Scripting (XSS) vulnerability in vue-template-compiler that allows attackers to execute JavaScript via prototype pollution.
You are affected if you are using a version of vue-template-compiler prior to 2.7.17.
Upgrade to vue-template-compiler version 2.7.17 or later to patch the vulnerability. Consider input validation as a temporary measure.
No active exploitation campaigns have been confirmed, but the availability of a proof-of-concept increases the risk of opportunistic attacks.
Refer to the official Vue.js security advisories and release notes for details: https://vuejs.org/security/
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.