CVE-2024-41677 – Cross-site Scripting (XSS) vulnerability due to improper HTML escaping in qwik

https://notcve.org/view.php?id=CVE-2024-41677

06 Aug 2024 — Qwik is a performance focused javascript framework. A potential mutation XSS vulnerability exists in Qwik for versions up to but not including 1.6.0. Qwik improperly escapes HTML on server-side rendering. It converts strings according to the rules found in the `render-ssr.ts` file. It sometimes causes the situation that the final DOM tree rendered on browsers is different from what Qwik expects on server-side rendering. • https://github.com/QwikDev/qwik/blob/v1.5.5/packages/qwik/src/core/render/ssr/render-ssr.ts#L1182-L1208 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •