CVE-2024-21504

Опубликовано: 19 мар. 2024

Источник: nvd

CVSS3: 6.1

EPSS Низкий

Описание

Versions of the package livewire/livewire from 3.3.5 and before 3.4.9 are vulnerable to Cross-site Scripting (XSS) when a page uses [Url] for a property. An attacker can inject HTML code in the context of the user's browser session by crafting a malicious link and convincing the user to click on it.

Ссылки

https://github.com/livewire/livewire/commit/c65b3f0798ab2c9338213ede3588c3cdf4e6fcc0
Patch
https://github.com/livewire/livewire/pull/8117
Issue Tracking
Patch
https://github.com/livewire/livewire/releases/tag/v3.4.9
Release Notes
https://security.snyk.io/vuln/SNYK-PHP-LIVEWIRELIVEWIRE-6446222
Exploit
Third Party Advisory
https://github.com/livewire/livewire/commit/c65b3f0798ab2c9338213ede3588c3cdf4e6fcc0
Patch
https://github.com/livewire/livewire/pull/8117
Issue Tracking
Patch
https://github.com/livewire/livewire/releases/tag/v3.4.9
Release Notes
https://security.snyk.io/vuln/SNYK-PHP-LIVEWIRELIVEWIRE-6446222
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:laravel:livewire:*:*:*:*:*:*:*:*

Версия от 3.3.5 (включая) до 3.4.9 (включая)

EPSS

Процентиль: 26%

0.00091

Низкий

6.1 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-389c-cf87-qmwj