Astro Web Framework Vulnerability Could Lead to Cross-Site Scripting Attacks
CVE-2024-47885

5.9MEDIUM

Key Information:

Vendor

Withastro

Status
Astro
Vendor
CVE Published:
14 October 2024

What is CVE-2024-47885?

The Astro web framework contains a vulnerability related to a DOM Clobbering gadget present within the client-side router. Versions ranging from 3.0.0 to 4.16.0 are impacted, where the framework allows cross-site scripting (XSS) through the use of stored attacker-controlled html elements. This situation arises when the framework processes unsanitized 'name' attributes in 'iframe' tags, exposing websites built with Astro to potential XSS attacks. Crafting malicious inputs that exploit the vulnerabilities in Astro's client-side routing, particularly with the introduction of ViewTransitions, can lead to significant security risks for users. An update to version 4.16.1 has been released to address this issue.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

astro >=3.0.0, < 4.16.1

References

https://github.com/withastro/astro/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/withastro/astro/commit/a4ffbfaa5cb460c...
x_refsource_MISC
https://github.com/withastro/astro/blob/7814a6cad15f06931...
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

JSON
.