jackfromeast

#! Need to install inkscape to automatically convert svg to pdf.
#!/bin/bash

if [ "$#" -ne 2 ]; then
  echo "Usage: $0 <submission-version-folder> <latest-version-folder>"
  exit 1
fi

SUBMISSION_FOLDER="$1"
LATEST_FOLDER="$2"

jackfromeast

Summary

We identified a DOM Clobbering vulnerability within the UMeditor library (version 1.2.2). The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where attacker-controlled HTML elements (e.g., an a tag with an unsanitized id attribute) are present.

Note that, we have found similar issues in the other popular client-side libraries for building websites, including Webpack (CVE-2024-43788), Vite (CVE-2024-45812), and layui (CVE-2024-47075), which might be good references to this kind of vulnerability.

Details

Backgrounds

jackfromeast

Summary

We identified a DOM Clobbering vulnerability within the inspire.js library (version 1.10). The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

Note that, we have found similar issues in the other popular client-side libraries for building websites, including Webpack (CVE-2024-43788), Vite (CVE-2024-45812), and layui (CVE-2024-47075), which might be good references to this kind of vulnerability.

Details

Backgrounds

jackfromeast

Summary

We identified a DOM Clobbering vulnerability within the Stage.js library (version 0.8.10). The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

Note that, we have found similar issues in the other popular client-side libraries for building websites, including Webpack (CVE-2024-43788), Vite (CVE-2024-45812), and layui (CVE-2024-47075), which might be good references to this kind of vulnerability.

Details

Backgrounds

jackfromeast

Summary

We identified a DOM Clobbering vulnerability within the Mavo library (version 0.3.2). The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

Given the usage of Mavo in various web applications, addressing this vulnerability will enhance its resilience against DOM Clobbering attacks.

Details

Backgrounds

jackfromeast

Summary

We identified a DOM Clobbering vulnerability in the Tsup bundler (version 8.3.4). The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

Note that, we have found similar issues in the other popular client-side bundler libraries, including Webpack (CVE-2024-43788) and Vite (CVE-2024-45812), which might be good references to this kind of vulnerability. Due to the popularity of Tsup among JavaScript projects, we believe it is important to make Tsup resilient against DOM Clobbering attacks.

Details

Backgrounds

jackfromeast

Summary

We identified a DOM Clobbering vulnerability within the Prism library's prism-autoloader plugin (version 1.29.0). This vulnerability could lead to cross-site scripting (XSS) attacks in web pages who embed Prism and allow users to inject scriptless HTML elements (e.g., an img tag with a controlled name attribute).

Note that, we have found similar issues in the other popular client-side libraries, including Webpack (CVE-2024-43788), Vite (CVE-2024-45812), and layui (CVE-2024-47075), which might be good references to this kind of vulnerability. So, in terms of the wildly adoption of Prism in the modern website, we think it is necessary to make the Prism resistant against DOM Clobbering attack.

Details

Backgrounds

jackfromeast

Hi, MITRE Security team!

Summary

I have discovered a DOM Clobbering vulnerability in the seajs package. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

Note that, we have found similar issues in the other popular client-side libraries for building websites, including Webpack (CVE-2024-43788), Vite (CVE-2024-45812), and layui (CVE-2024-47075), which might be good references to this kind of vulnerability.

Details

jackfromeast

Hi, MITRE Security team!

Summary

I have discovered a DOM Clobbering vulnerability in the cusdis package. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

Note that, we have found similar issues in the other popular client-side libraries for building websites, including Webpack (CVE-2024-43788), Vite (CVE-2024-45812), and layui (CVE-2024-47075), which might be good references to this kind of vulnerability.

Details

jackfromeast

Hi, MITRE Security team!

Summary

I have discovered a DOM Clobbering vulnerability in the cujojs/curl package. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

Note that, we have found similar issues in the other popular client-side libraries for building websites, including Webpack (CVE-2024-43788), Vite (CVE-2024-45812), and layui (CVE-2024-47075), which might be good references to this kind of vulnerability.

Details