Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependabot Alert: Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS #650

Open
JennaySDavis opened this issue Sep 18, 2024 · 2 comments
Open

Dependabot Alert: Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS #650

JennaySDavis opened this issue Sep 18, 2024 · 2 comments
Assignees
@johnbeallgsa
Labels
Dependabot Alert Sprint 41

Comments

@JennaySDavis
Copy link
Contributor

We discovered a DOM Clobbering vulnerability in Vite when building scripts to cjs/iife/umd output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.
@john-labbate john-labbate self-assigned this Oct 15, 2024
@JennaySDavis
Copy link
Contributor Author

Acceptance Criteria

Pass/Fail Description
Pass Full Regression Testing of Training Website

Comments/Additional Notes
N/A

ADA Compliance (Automated scan via Chrome Lighthouse)

Criteria Score
Performance 98
Accessibility 100
Best Practices 100

Passed 10/16/2024 - JSD

@johnbeallgsa
Copy link

Thanks for explaining in the demo. I am moving to Done.

felder101 added a commit that referenced this issue Oct 17, 2024
@felder101
Production Release (Sprint 41)
290d06b 
Dependabot Alert: Vite's server.fs.deny is bypassed when using ?import&raw #651
Dependabot Alert: Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS #650
Dependabot Alert: Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS #650
Biobased in Training #663
@felder101 felder101 mentioned this issue Oct 17, 2024
Merged
felder101 added a commit that referenced this issue Oct 18, 2024
@felder101
Production Release (Sprint 41) (#677)
0c44904 
Dependabot Alert: Vite's server.fs.deny is bypassed when using ?import&raw #651
Dependabot Alert: Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS #650
Dependabot Alert: Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS #650
Biobased in Training #663
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@johnbeallgsa johnbeallgsa

Labels
Dependabot Alert Sprint 41
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@john-labbate @johnbeallgsa @JennaySDavis