Cross-site Scripting in `server.transformIndexHtml` via URL payload in vite
CVE-2023-49293

6.1MEDIUM

Key Information:

Vendor: vitejs
Status: vite
Vendor: CVE Published:; 4 December 2023

Summary

Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts (<script type="module">...</script>), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to server.transformIndexHtml. Only apps using appType: 'custom' and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in [email protected], [email protected], and [email protected]. There are no known workarounds for this vulnerability.

Affected Version(s)

vite >=4.4.0, < 4.4.12 < 4.4.0, 4.4.12

vite = 4.5.0 = 4.5.0

vite >=5.0.0, < 5.0.5 < 5.0.0, 5.0.5

References

https://github.com/vitejs/vite/security/advisories/GHSA-9...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Dec 4, 2023
Vulnerability Reserved
Nov 24, 2023