CVE-2024-6783: vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)

July 23, 2024

A vulnerability has been discovered in vue-template-compiler, that allows an attacker to perform XSS via prototype pollution. The attacker could change the prototype chain of some properties such as Object.prototype.staticClass or Object.prototype.staticStyle to execute arbitrary JavaScript code. Vue 2 has reached End-of-Life. This vulnerability has been patched in Vue 3.

References

github.com/advisories/GHSA-g3ch-rx76-35fx
github.com/vuejs/vue
nvd.nist.gov/vuln/detail/CVE-2024-6783
www.herodevs.com/vulnerability-directory/cve-2024-6783---vue-client-side-xss

Code Behaviors & Features

Detect and mitigate CVE-2024-6783 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →