CVE-2024-53386
MEDIUMCVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Tags
Description
Stage.js through 0.8.10 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.
Analysis
Stage.js through 0.8.10 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
Technical Context
This vulnerability is classified as Code Injection (CWE-94), which allows attackers to inject and execute arbitrary code within the application. Stage.js through 0.8.10 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements. Affected products include: Piqnt Stage.Js. Version information: through 0.8.10.
Affected Products
Piqnt Stage.Js.
Remediation
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Never evaluate user-controlled input as code. Use sandboxing, disable dangerous functions, apply strict input validation.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today