CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34343 – Cross-site Scripting (XSS) in navigateTo if used after SSR in nuxt
https://notcve.org/view.php?id=CVE-2024-34343
05 Aug 2024 — Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. The `navigateTo` function attempts to blockthe `javascript:` protocol, but does not correctly use API's provided by `unjs/ufo`. This library also contains parsing discrepancies. The function first tests to see if the specified URL has a protocol. This uses the unjs/ufo package for URL parsing. • https://github.com/nuxt/nuxt/security/advisories/GHSA-vf6r-87q4-2vjf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23657 – Path Traversal: '../filedir' in Nuxt Devtools
https://notcve.org/view.php?id=CVE-2024-23657
05 Aug 2024 — Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Nuxt Devtools is missing authentication on the `getTextAssetContent` RPC function which is vulnerable to path traversal. Combined with a lack of Origin checks on the WebSocket handler, an attacker is able to interact with a locally running devtools instance and exfiltrate data abusing this vulnerability. In certain configurations an attacker could leak the devtools authentication token and then abuse oth... • https://github.com/nuxt/devtools/blob/c4f2b68281203fc3f61ffc97d9c6623fbfde46bb/packages/devtools/src/dev-auth.ts#L14 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-24: Path Traversal: '../filedir' •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 1CVE-2023-3224 – Code Injection in nuxt/nuxt
https://notcve.org/view.php?id=CVE-2023-3224
13 Jun 2023 — Code Injection in GitHub repository nuxt/nuxt prior to 3.5.3. Inyección de código en el repositorio de GitHub nuxt/nuxt anterior a 3.5.3. • https://github.com/nuxt/nuxt/commit/65a8f4eb3ef1b249a95fd59e323835a96428baff • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2138 – Use of Hard-coded Credentials in nuxtlabs/github-module
https://notcve.org/view.php?id=CVE-2023-2138
18 Apr 2023 — Use of Hard-coded Credentials in GitHub repository nuxtlabs/github-module prior to 1.6.2. • https://github.com/nuxtlabs/github-module/commit/5490c43f729eee60f07920bf88c0aabdc1398b6e • CWE-798: Use of Hard-coded Credentials •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0878 – Cross-site Scripting (XSS) - Generic in nuxt/framework
https://notcve.org/view.php?id=CVE-2023-0878
17 Feb 2023 — Cross-site Scripting (XSS) - Generic in GitHub repository nuxt/framework prior to 3.2.1. • https://github.com/nuxt/framework/commit/7aa35ff958eec0c7d071d3fcd481db57281dbcd9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •