CVE-2024-47885: DOM Clobbering Gadget found in astro's client-side router that leads to XSS
(updated )
A DOM Clobbering gadget has been discoverd in Astro’s client-side router. It can lead to cross-site scripting (XSS) in websites enables Astro’s client-side routing and has stored attacker-controlled scriptless HTML elements (i.e., iframe tags with unsanitized name attributes) on the destination pages.
References
- github.com/advisories/GHSA-m85w-3h95-hcf9
- github.com/withastro/astro
- github.com/withastro/astro/blob/7814a6cad15f06931f963580176d9b38aa7819f2/packages/astro/src/transitions/router.ts
- github.com/withastro/astro/commit/a4ffbfaa5cb460c12bd486fd75e36147f51d3e5e
- github.com/withastro/astro/security/advisories/GHSA-m85w-3h95-hcf9
- nvd.nist.gov/vuln/detail/CVE-2024-47885
Code Behaviors & Features
Detect and mitigate CVE-2024-47885 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →