Home > Vulnerability Database > CVE-2024-47068

Mend.io Vulnerability Database

CVE-2024-47068

Good to know:

Date: September 23, 2024

Rollup is a module bundler for JavaScript. Versions prior to 3.29.5 and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from `import.meta` (e.g., `import.meta.url`) in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Versions 3.29.5 and 4.22.4 contain a patch for the vulnerability.

Language: TYPE_SCRIPT

Severity Score

6.1

Related Resources (8)

Url: https://github.com/rollup/rollup/commit/e2552c9e955e0a61f70f508200ee9f752f85a541

Url: https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162

Url: https://github.com/rollup/rollup/commit/2ef77c00ec2635d42697cff2c0567ccc8db34fb4

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-47068

Url: https://github.com/rollup/rollup/security/advisories/GHSA-gcx4-mw62-g8wm

Url: https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185

Url: https://github.com/rollup/rollup

Url: https://www.mend.io/vulnerability-database/CVE-2024-47068

Severity Score

6.1

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Top Fix

Upgrade Version

Upgrade to version rollup - 3.29.5,4.22.4

Learn More

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-47068

Good to know:

Date: September 23, 2024

Language: TYPE_SCRIPT

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?