Search criteria
9 vulnerabilities found for svelte by svelte
FKIE_CVE-2024-45047
Vulnerability from fkie_nvd - Published: 2024-08-30 17:15 - Updated: 2024-09-25 19:06
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
svelte performance oriented web framework. A potential mXSS vulnerability exists in Svelte for versions up to but not including 4.2.19. Svelte improperly escapes HTML on server-side rendering. The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS). More specifically, this can occur when injecting malicious content into an attribute within a `noscript` tag. This issue has been addressed in release version 4.2.19. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/sveltejs/svelte/security/advisories/GHSA-8266-84wp-wv5c | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:svelte:svelte:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "99EE1DD2-1E41-4D09-A826-589B242D34BE",
"versionEndExcluding": "4.2.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "svelte performance oriented web framework. A potential mXSS vulnerability exists in Svelte for versions up to but not including 4.2.19. Svelte improperly escapes HTML on server-side rendering. The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS). More specifically, this can occur when injecting malicious content into an attribute within a `noscript` tag. This issue has been addressed in release version 4.2.19. Users are advised to upgrade. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "Svelte es un framework web orientado al rendimiento. Existe una vulnerabilidad potencial mXSS en Svelte para las versiones hasta la 4.2.19, pero no incluida. Svelte escapa incorrectamente el HTML en la representaci\u00f3n del lado del servidor. Se supone que los atributos siempre permanecer\u00e1n como tales, pero en algunas situaciones el \u00e1rbol DOM final representado en los navegadores es diferente de lo que Svelte espera en la representaci\u00f3n del lado del servidor. Esto se puede aprovechar para realizar ataques XSS, y un tipo de XSS se conoce como mXSS (XSS de mutaci\u00f3n). M\u00e1s espec\u00edficamente, esto puede ocurrir cuando se inyecta contenido malicioso en un atributo dentro de una etiqueta `noscript`. Este problema se ha solucionado en la versi\u00f3n de lanzamiento 4.2.19. Se recomienda a los usuarios que actualicen. No existen workarounds para esta vulnerabilidad."
}
],
"id": "CVE-2024-45047",
"lastModified": "2024-09-25T19:06:47.717",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-30T17:15:15.377",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-8266-84wp-wv5c"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-25875
Vulnerability from fkie_nvd - Published: 2022-07-12 19:15 - Updated: 2024-11-21 06:53
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
The package svelte before 3.49.0 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
References
| URL | Tags | ||
|---|---|---|---|
| report@snyk.io | https://github.com/sveltejs/svelte/commit/f8605d6acbf66976da9b4547f76e90e163899907 | Exploit, Patch, Third Party Advisory | |
| report@snyk.io | https://github.com/sveltejs/svelte/pull/7530%23issuecomment-1158575990 | Broken Link | |
| report@snyk.io | https://snyk.io/vuln/SNYK-JS-SVELTE-2931080 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/sveltejs/svelte/commit/f8605d6acbf66976da9b4547f76e90e163899907 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/sveltejs/svelte/pull/7530%23issuecomment-1158575990 | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | https://snyk.io/vuln/SNYK-JS-SVELTE-2931080 | Exploit, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:svelte:svelte:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "63F747DE-2C57-4C07-B79D-542F872AAD78",
"versionEndExcluding": "3.49.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The package svelte before 3.49.0 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function."
},
{
"lang": "es",
"value": "El paquete svelte versiones anteriores a 3.49.0, es vulnerable a un ataque de tipo Cross-site Scripting (XSS) debido a un saneo inapropiado de la entrada y a un escape de atributos inapropiado cuando son usados objetos durante el SSR (Server-Side Rendering). La explotaci\u00f3n de esta vulnerabilidad es posible por medio de objetos con una funci\u00f3n toString() personalizada"
}
],
"id": "CVE-2022-25875",
"lastModified": "2024-11-21T06:53:09.010",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "report@snyk.io",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-07-12T19:15:08.330",
"references": [
{
"source": "report@snyk.io",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/sveltejs/svelte/commit/f8605d6acbf66976da9b4547f76e90e163899907"
},
{
"source": "report@snyk.io",
"tags": [
"Broken Link"
],
"url": "https://github.com/sveltejs/svelte/pull/7530%23issuecomment-1158575990"
},
{
"source": "report@snyk.io",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://snyk.io/vuln/SNYK-JS-SVELTE-2931080"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/sveltejs/svelte/commit/f8605d6acbf66976da9b4547f76e90e163899907"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://github.com/sveltejs/svelte/pull/7530%23issuecomment-1158575990"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://snyk.io/vuln/SNYK-JS-SVELTE-2931080"
}
],
"sourceIdentifier": "report@snyk.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-29261
Vulnerability from fkie_nvd - Published: 2021-04-05 07:15 - Updated: 2024-11-21 06:00
Severity ?
Summary
The unofficial Svelte extension before 104.8.0 for Visual Studio Code allows attackers to execute arbitrary code via a crafted workspace configuration.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:svelte:svelte:*:*:*:*:*:visual_studio_code:*:*",
"matchCriteriaId": "5A787B2A-AC2F-417D-884E-C67E0C541211",
"versionEndExcluding": "104.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The unofficial Svelte extension before 104.8.0 for Visual Studio Code allows attackers to execute arbitrary code via a crafted workspace configuration."
},
{
"lang": "es",
"value": "La extensi\u00f3n no oficial Svelte versiones anteriores a 104.8.0 para Visual Studio Code, permite a atacantes ejecutar c\u00f3digo arbitrario por medio de una configuraci\u00f3n de workspace dise\u00f1ada"
}
],
"id": "CVE-2021-29261",
"lastModified": "2024-11-21T06:00:54.093",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-05T07:15:14.463",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/sveltejs/language-tools/commit/5d7bf1fd98bfe2cd2080863a3c95ce099b898075"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/sveltejs/language-tools/releases"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/sveltejs/language-tools/releases/tag/extensions-104.8.0"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://marketplace.visualstudio.com/items?itemName=svelte.svelte-vscode"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://vuln.ryotak.me/advisories/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/sveltejs/language-tools/commit/5d7bf1fd98bfe2cd2080863a3c95ce099b898075"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/sveltejs/language-tools/releases"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/sveltejs/language-tools/releases/tag/extensions-104.8.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://marketplace.visualstudio.com/items?itemName=svelte.svelte-vscode"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://vuln.ryotak.me/advisories/3"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-45047 (GCVE-0-2024-45047)
Vulnerability from cvelistv5 – Published: 2024-08-30 16:55 – Updated: 2024-08-30 18:11
VLAI?
Title
Potential mXSS vulnerability due to improper HTML escaping in svelte
Summary
svelte performance oriented web framework. A potential mXSS vulnerability exists in Svelte for versions up to but not including 4.2.19. Svelte improperly escapes HTML on server-side rendering. The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS). More specifically, this can occur when injecting malicious content into an attribute within a `noscript` tag. This issue has been addressed in release version 4.2.19. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:svelte:svelte:*:*:*:*:*:node.js:*:*"
],
"defaultStatus": "unknown",
"product": "svelte",
"vendor": "svelte",
"versions": [
{
"lessThan": "4.2.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45047",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-30T18:09:31.713710Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-30T18:11:07.734Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "svelte",
"vendor": "sveltejs",
"versions": [
{
"status": "affected",
"version": "\u003c 4.2.19"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "svelte performance oriented web framework. A potential mXSS vulnerability exists in Svelte for versions up to but not including 4.2.19. Svelte improperly escapes HTML on server-side rendering. The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS). More specifically, this can occur when injecting malicious content into an attribute within a `noscript` tag. This issue has been addressed in release version 4.2.19. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-30T16:55:39.106Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sveltejs/svelte/security/advisories/GHSA-8266-84wp-wv5c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-8266-84wp-wv5c"
}
],
"source": {
"advisory": "GHSA-8266-84wp-wv5c",
"discovery": "UNKNOWN"
},
"title": "Potential mXSS vulnerability due to improper HTML escaping in svelte"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45047",
"datePublished": "2024-08-30T16:55:39.106Z",
"dateReserved": "2024-08-21T17:53:51.331Z",
"dateUpdated": "2024-08-30T18:11:07.734Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-25875 (GCVE-0-2022-25875)
Vulnerability from cvelistv5 – Published: 2022-07-12 14:20 – Updated: 2024-09-17 04:14
VLAI?
Title
Cross-site Scripting (XSS)
Summary
The package svelte before 3.49.0 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Severity ?
5.4 (Medium)
CWE
- Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Maurício Kishi
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:49:44.469Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-SVELTE-2931080"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sveltejs/svelte/pull/7530%23issuecomment-1158575990"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sveltejs/svelte/commit/f8605d6acbf66976da9b4547f76e90e163899907"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "svelte",
"vendor": "n/a",
"versions": [
{
"lessThan": "3.49.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Maur\u00edcio Kishi"
}
],
"datePublic": "2022-07-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The package svelte before 3.49.0 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 5.1,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-12T14:20:17",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-SVELTE-2931080"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/svelte/pull/7530%23issuecomment-1158575990"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/svelte/commit/f8605d6acbf66976da9b4547f76e90e163899907"
}
],
"title": "Cross-site Scripting (XSS)",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2022-07-12T14:15:41.933572Z",
"ID": "CVE-2022-25875",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "svelte",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.49.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Maur\u00edcio Kishi"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The package svelte before 3.49.0 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-SVELTE-2931080",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-SVELTE-2931080"
},
{
"name": "https://github.com/sveltejs/svelte/pull/7530%23issuecomment-1158575990",
"refsource": "MISC",
"url": "https://github.com/sveltejs/svelte/pull/7530%23issuecomment-1158575990"
},
{
"name": "https://github.com/sveltejs/svelte/commit/f8605d6acbf66976da9b4547f76e90e163899907",
"refsource": "MISC",
"url": "https://github.com/sveltejs/svelte/commit/f8605d6acbf66976da9b4547f76e90e163899907"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2022-25875",
"datePublished": "2022-07-12T14:20:17.950532Z",
"dateReserved": "2022-02-24T00:00:00",
"dateUpdated": "2024-09-17T04:14:01.708Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29261 (GCVE-0-2021-29261)
Vulnerability from cvelistv5 – Published: 2021-04-05 06:15 – Updated: 2024-08-03 22:02
VLAI?
Summary
The unofficial Svelte extension before 104.8.0 for Visual Studio Code allows attackers to execute arbitrary code via a crafted workspace configuration.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:51.444Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://marketplace.visualstudio.com/items?itemName=svelte.svelte-vscode"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sveltejs/language-tools/releases"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vuln.ryotak.me/advisories/3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sveltejs/language-tools/releases/tag/extensions-104.8.0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sveltejs/language-tools/commit/5d7bf1fd98bfe2cd2080863a3c95ce099b898075"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The unofficial Svelte extension before 104.8.0 for Visual Studio Code allows attackers to execute arbitrary code via a crafted workspace configuration."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-05T06:15:21",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://marketplace.visualstudio.com/items?itemName=svelte.svelte-vscode"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/language-tools/releases"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vuln.ryotak.me/advisories/3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/language-tools/releases/tag/extensions-104.8.0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/language-tools/commit/5d7bf1fd98bfe2cd2080863a3c95ce099b898075"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29261",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The unofficial Svelte extension before 104.8.0 for Visual Studio Code allows attackers to execute arbitrary code via a crafted workspace configuration."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://marketplace.visualstudio.com/items?itemName=svelte.svelte-vscode",
"refsource": "MISC",
"url": "https://marketplace.visualstudio.com/items?itemName=svelte.svelte-vscode"
},
{
"name": "https://github.com/sveltejs/language-tools/releases",
"refsource": "MISC",
"url": "https://github.com/sveltejs/language-tools/releases"
},
{
"name": "https://vuln.ryotak.me/advisories/3",
"refsource": "MISC",
"url": "https://vuln.ryotak.me/advisories/3"
},
{
"name": "https://github.com/sveltejs/language-tools/releases/tag/extensions-104.8.0",
"refsource": "MISC",
"url": "https://github.com/sveltejs/language-tools/releases/tag/extensions-104.8.0"
},
{
"name": "https://github.com/sveltejs/language-tools/commit/5d7bf1fd98bfe2cd2080863a3c95ce099b898075",
"refsource": "MISC",
"url": "https://github.com/sveltejs/language-tools/commit/5d7bf1fd98bfe2cd2080863a3c95ce099b898075"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29261",
"datePublished": "2021-04-05T06:15:21",
"dateReserved": "2021-03-26T00:00:00",
"dateUpdated": "2024-08-03T22:02:51.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45047 (GCVE-0-2024-45047)
Vulnerability from nvd – Published: 2024-08-30 16:55 – Updated: 2024-08-30 18:11
VLAI?
Title
Potential mXSS vulnerability due to improper HTML escaping in svelte
Summary
svelte performance oriented web framework. A potential mXSS vulnerability exists in Svelte for versions up to but not including 4.2.19. Svelte improperly escapes HTML on server-side rendering. The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS). More specifically, this can occur when injecting malicious content into an attribute within a `noscript` tag. This issue has been addressed in release version 4.2.19. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:svelte:svelte:*:*:*:*:*:node.js:*:*"
],
"defaultStatus": "unknown",
"product": "svelte",
"vendor": "svelte",
"versions": [
{
"lessThan": "4.2.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45047",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-30T18:09:31.713710Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-30T18:11:07.734Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "svelte",
"vendor": "sveltejs",
"versions": [
{
"status": "affected",
"version": "\u003c 4.2.19"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "svelte performance oriented web framework. A potential mXSS vulnerability exists in Svelte for versions up to but not including 4.2.19. Svelte improperly escapes HTML on server-side rendering. The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS). More specifically, this can occur when injecting malicious content into an attribute within a `noscript` tag. This issue has been addressed in release version 4.2.19. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-30T16:55:39.106Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sveltejs/svelte/security/advisories/GHSA-8266-84wp-wv5c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-8266-84wp-wv5c"
}
],
"source": {
"advisory": "GHSA-8266-84wp-wv5c",
"discovery": "UNKNOWN"
},
"title": "Potential mXSS vulnerability due to improper HTML escaping in svelte"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45047",
"datePublished": "2024-08-30T16:55:39.106Z",
"dateReserved": "2024-08-21T17:53:51.331Z",
"dateUpdated": "2024-08-30T18:11:07.734Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-25875 (GCVE-0-2022-25875)
Vulnerability from nvd – Published: 2022-07-12 14:20 – Updated: 2024-09-17 04:14
VLAI?
Title
Cross-site Scripting (XSS)
Summary
The package svelte before 3.49.0 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Severity ?
5.4 (Medium)
CWE
- Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Maurício Kishi
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:49:44.469Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-SVELTE-2931080"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sveltejs/svelte/pull/7530%23issuecomment-1158575990"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sveltejs/svelte/commit/f8605d6acbf66976da9b4547f76e90e163899907"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "svelte",
"vendor": "n/a",
"versions": [
{
"lessThan": "3.49.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Maur\u00edcio Kishi"
}
],
"datePublic": "2022-07-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The package svelte before 3.49.0 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "NOT_DEFINED",
"scope": "UNCHANGED",
"temporalScore": 5.1,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-12T14:20:17",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-SVELTE-2931080"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/svelte/pull/7530%23issuecomment-1158575990"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/svelte/commit/f8605d6acbf66976da9b4547f76e90e163899907"
}
],
"title": "Cross-site Scripting (XSS)",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2022-07-12T14:15:41.933572Z",
"ID": "CVE-2022-25875",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "svelte",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.49.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Maur\u00edcio Kishi"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The package svelte before 3.49.0 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-SVELTE-2931080",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-SVELTE-2931080"
},
{
"name": "https://github.com/sveltejs/svelte/pull/7530%23issuecomment-1158575990",
"refsource": "MISC",
"url": "https://github.com/sveltejs/svelte/pull/7530%23issuecomment-1158575990"
},
{
"name": "https://github.com/sveltejs/svelte/commit/f8605d6acbf66976da9b4547f76e90e163899907",
"refsource": "MISC",
"url": "https://github.com/sveltejs/svelte/commit/f8605d6acbf66976da9b4547f76e90e163899907"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2022-25875",
"datePublished": "2022-07-12T14:20:17.950532Z",
"dateReserved": "2022-02-24T00:00:00",
"dateUpdated": "2024-09-17T04:14:01.708Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29261 (GCVE-0-2021-29261)
Vulnerability from nvd – Published: 2021-04-05 06:15 – Updated: 2024-08-03 22:02
VLAI?
Summary
The unofficial Svelte extension before 104.8.0 for Visual Studio Code allows attackers to execute arbitrary code via a crafted workspace configuration.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:51.444Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://marketplace.visualstudio.com/items?itemName=svelte.svelte-vscode"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sveltejs/language-tools/releases"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vuln.ryotak.me/advisories/3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sveltejs/language-tools/releases/tag/extensions-104.8.0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sveltejs/language-tools/commit/5d7bf1fd98bfe2cd2080863a3c95ce099b898075"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The unofficial Svelte extension before 104.8.0 for Visual Studio Code allows attackers to execute arbitrary code via a crafted workspace configuration."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-05T06:15:21",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://marketplace.visualstudio.com/items?itemName=svelte.svelte-vscode"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/language-tools/releases"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vuln.ryotak.me/advisories/3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/language-tools/releases/tag/extensions-104.8.0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/language-tools/commit/5d7bf1fd98bfe2cd2080863a3c95ce099b898075"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29261",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The unofficial Svelte extension before 104.8.0 for Visual Studio Code allows attackers to execute arbitrary code via a crafted workspace configuration."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://marketplace.visualstudio.com/items?itemName=svelte.svelte-vscode",
"refsource": "MISC",
"url": "https://marketplace.visualstudio.com/items?itemName=svelte.svelte-vscode"
},
{
"name": "https://github.com/sveltejs/language-tools/releases",
"refsource": "MISC",
"url": "https://github.com/sveltejs/language-tools/releases"
},
{
"name": "https://vuln.ryotak.me/advisories/3",
"refsource": "MISC",
"url": "https://vuln.ryotak.me/advisories/3"
},
{
"name": "https://github.com/sveltejs/language-tools/releases/tag/extensions-104.8.0",
"refsource": "MISC",
"url": "https://github.com/sveltejs/language-tools/releases/tag/extensions-104.8.0"
},
{
"name": "https://github.com/sveltejs/language-tools/commit/5d7bf1fd98bfe2cd2080863a3c95ce099b898075",
"refsource": "MISC",
"url": "https://github.com/sveltejs/language-tools/commit/5d7bf1fd98bfe2cd2080863a3c95ce099b898075"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29261",
"datePublished": "2021-04-05T06:15:21",
"dateReserved": "2021-03-26T00:00:00",
"dateUpdated": "2024-08-03T22:02:51.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}