build-onchain-apps icon indicating copy to clipboard operation
build-onchain-apps copied to clipboard
verified publisher icon coinbase

fix: Update AutoPublicPathRuntimeModule Webpack's

Open kreeksec opened this issue 1 year ago • 0 comments

What changed? Why? We discovered a DOM Clobbering vulnerability in Webpack’s AutoPublicPathRuntimeModule. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

We found the real-world exploitation of this gadget in the Canvas LMS which allows XSS attack happens through an javascript code compiled by Webpack (the vulnerable part is from Webpack). We believe this is a severe issue. If Webpack’s code is not resilient to DOM Clobbering attacks, it could lead to significant security vulnerabilities in any web application using Webpack-compiled code.

Notes to reviewers WeaknessCWE-79 CVE-2024-43788

How has it been tested? We identified a DOM Clobbering vulnerability in Webpack’s AutoPublicPathRuntimeModule. When the output.publicPath field in the configuration is not set or is set to auto.

kreeksec avatar Dec 01 '24 19:12 kreeksec