Fix Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS

omise / omise-woocommerce

Omise WooCommerce Plugin

https://docs.opn.ooo/woocommerce-plugin

MIT License

47 stars 27 forks source link

Fix Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS #478

Open andrisecops opened 1 month ago

andrisecops commented 1 month ago

Description

We discovered a DOM Clobbering vulnerability in Webpack’s AutoPublicPathRuntimeModule. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

CWE-79 CVE-2024-43788

Rollback procedure

default rollback procedure

aashishgurung commented 1 week ago

@andrisecops Thank you for reaching out. Can you please update the PR so that it includes package.json?