CVE-2024-43788

DOM Clobbering Gadget found in Webpack's AutoPublicPathRuntimeModule that leads to Cross-site Scripting (XSS)

Severity Score

6.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s `AutoPublicPathRuntimeModule`. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Real-world exploitation of this gadget has been observed in the Canvas LMS which allows a XSS attack to happen through a javascript code compiled by Webpack (the vulnerable part is from Webpack). DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes. This issue has been addressed in release version 5.94.0. All users are advised to upgrade. There are no known workarounds for this issue.

A DOM Clobbering vulnerability was found in Webpack via `AutoPublicPathRuntimeModule`. DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script through seemingly benign HTML markups in the webpage, for example, through a post or comment, and leverages the gadgets (pieces of JS code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to Cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or ID attributes.

This update for pgadmin4 fixes the following issues. Fixed socket.io: unhandled 'error' event. Fixed requirejs: prototype pollution via function config. Fixed requirejs: prototype pollution via function s.contexts._.configure. Fixed axios: server-side request forgery due to requests for path relative URLs being processed as protocol relative URLs in axios. Fixed micromatch: vulnerable to Regular Expression Denial of Service. Fixed braces: fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. Fixed webpack: DOM clobbering gadget in AutoPublicPathRuntimeModule could lead to XSS Fixed elliptic: ECDSA signature verification error due to leading zero may reject legitimate transactions in elliptic. Fixed elliptic: Missing Validation in Elliptic's EDDSA Signature Verification. Fixed OAuth2 issue that could lead to information leak.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-08-16 CVE Reserved
2024-08-27 CVE Published
2025-01-09 CVE Updated
2025-05-12 First Exploit
2025-06-23 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (8)

URL	Tag	Source
https://github.com/webpack/webpack/commit/955e057abc6cc83cbc3fa1e1ef67a49758bf5a61	X_refsource_misc
https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986	X_refsource_confirm
https://research.securitum.com/xss-in-amp4email-dom-clobbering	X_refsource_misc
https://scnps.co/papers/sp23_domclob.pdf	X_refsource_misc
https://github.com/webpack/webpack/issues/18718#issuecomment-2326296270	X_refsource_misc

URL	Date	SRC
https://github.com/batzionb/webpack-cve-2024-43788	2025-05-12

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-43788	2025-02-10
https://bugzilla.redhat.com/show_bug.cgi?id=2308193	2025-02-10

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Webpack Search vendor "Webpack"		Webpack Search vendor "Webpack" for product "Webpack"				>= 5.0.0 < 5.94.0 Search vendor "Webpack" for product "Webpack" and version " >= 5.0.0 < 5.94.0"		en		Affected