CVE-2024-43788: Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS
We discovered a DOM Clobbering vulnerability in Webpack’s AutoPublicPathRuntimeModule. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.
We found the real-world exploitation of this gadget in the Canvas LMS which allows XSS attack happens through an javascript code compiled by Webpack (the vulnerable part is from Webpack). We believe this is a severe issue. If Webpack’s code is not resilient to DOM Clobbering attacks, it could lead to significant security vulnerabilities in any web application using Webpack-compiled code.
References
- github.com/advisories/GHSA-4vvj-4cpr-p986
- github.com/webpack/webpack
- github.com/webpack/webpack/commit/955e057abc6cc83cbc3fa1e1ef67a49758bf5a61
- github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986
- nvd.nist.gov/vuln/detail/CVE-2024-43788
- research.securitum.com/xss-in-amp4email-dom-clobbering
- scnps.co/papers/sp23_domclob.pdf
Detect and mitigate CVE-2024-43788 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →