*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (``), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: 'custom'` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Vulnerable Library - noise-suppression-1.0.0-beta.8.tgz
Path to dependency file: /noise-suppression/denoize-file/package.json
Path to vulnerable library: /noise-suppression/denoize-file/package.json
Found in HEAD commit: 9b1f98ab042c8779c87c84b4c9fa92fab79a7be4
Oops, something went wrong. We couldn’t find a fix. Support token-00d9cb323a87f4083995fe87d4ba989751702404000126_425
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-49293
### Vulnerable Library - vite-4.5.0.tgzLibrary home page: https://registry.npmjs.org/vite/-/vite-4.5.0.tgz
Path to dependency file: /noise-suppression/denoize-file/package.json
Path to vulnerable library: /noise-suppression/denoize-file/package.json
Dependency Hierarchy: - noise-suppression-1.0.0-beta.8.tgz (Root Library) - :x: **vite-4.5.0.tgz** (Vulnerable Library)
Found in HEAD commit: 9b1f98ab042c8779c87c84b4c9fa92fab79a7be4
Found in base branch: main
### Vulnerability DetailsVite is a website frontend framework. When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (``), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: 'custom'` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability.
Publish Date: 2023-12-04
URL: CVE-2023-49293
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97
Release Date: 2023-12-04
Fix Resolution: vite - 4.4.12,4.5.1,5.0.5