Cross-Site Scripting Vulnerability in NuGet Gallery's Autolinks Handling
CVE-2024-37304

Currently unrated

Key Information:

Vendor: NuGet
Status: NuGet Gallery
Vendor: CVE Published:; 12 June 2024

What is CVE-2024-37304?

NuGet Gallery, the popular package repository for .NET, is vulnerable due to improper handling of autolinks in Markdown content. While it effectively filters out JavaScript from standard links, the platform fails to properly sanitize autolinks, allowing attackers to inject JavaScript code. This vulnerability can be exploited for Cross-Site Scripting (XSS) attacks, potentially leading to malicious code execution in users' browsers when they click on unsanitized links. A patch addressing this issue is available in version 2024.05.28.

References

https://github.com/NuGet/NuGetGallery/security/advisories...

https://github.com/NuGet/NuGetGallery/pull/9836

https://github.com/NuGet/NuGetGallery/commit/c52b023659f4...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2024

CVE-2024-37304 Data

JSON