We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-32468

Improper neutralization of input during web page generation ("Cross-site Scripting") in deno_doc HTML generator



Description

Deno is a runtime for JavaScript and TypeScript written in rust. Several cross-site scripting vulnerabilities existed in the `deno_doc` crate which lead to Self-XSS with deno doc --html. 1.) XSS in generated `search_index.js`, `deno_doc` outputs a JavaScript file for searching. However, the generated file used `innerHTML` on unsanitzed HTML input. 2.) XSS via property, method and enum names, `deno_doc` did not sanitize property names, method names and enum names. The first XSS most likely didn't have an impact since `deno doc --html` is expected to be used locally with own packages.

Reserved 2024-04-12 | Published 2024-11-25 | Updated 2024-11-25 | Assigner GitHub_M


MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

deno_doc: < 0.119.0
affected

deno: < 1.42.0
affected

References

github.com/...d/deno/security/advisories/GHSA-qqwr-j9mm-fhw6

github.com/...6e75eb6b73e/src/html/templates/pages/search.js

cve.org (CVE-2024-32468)

nvd.nist.gov (CVE-2024-32468)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-32468

Support options

Helpdesk Chat, Email, Knowledgebase
Telegram Chat
Subscribe to our newsletter to learn more about our work.