We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-54138

XSS Vulnerability in NuGetGallery's Markdown Autolinks Processing



Description

NuGet Gallery is a package repository that powers nuget.org. The NuGetGallery has a security vulnerability related to its handling of autolinks in Markdown content. While the platform properly filters out JavaScript from standard links, it does not adequately sanitize autolinks. This oversight allows attackers to exploit autolinks as a vector for Cross-Site Scripting (XSS) attacks. This vulnerability is fixed in 2024.12.06.

Reserved 2024-11-29 | Published 2024-12-06 | Updated 2024-12-10 | Assigner GitHub_M


MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

< 2024.12.06
affected

References

github.com/...allery/security/advisories/GHSA-x448-p234-x5p8

github.com/NuGet/NuGetGallery/pull/10296

cve.org (CVE-2024-54138)

nvd.nist.gov (CVE-2024-54138)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-54138

Support options

Helpdesk Chat, Email, Knowledgebase
Subscribe to our newsletter to learn more about our work.