CVE-2024-47885

{"id": "CVE-2024-47885", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 1.2}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2024-10-14T19:15:10.903", "references": [{"url": "https://github.com/withastro/astro/blob/7814a6cad15f06931f963580176d9b38aa7819f2/packages/astro/src/transitions/router.ts#L135-L156", "tags": ["Product"], "source": "[email protected]"}, {"url": "https://github.com/withastro/astro/commit/a4ffbfaa5cb460c12bd486fd75e36147f51d3e5e", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/withastro/astro/security/advisories/GHSA-m85w-3h95-hcf9", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "The Astro web framework has a DOM Clobbering gadget in the client-side router starting in version 3.0.0 and prior to version 4.16.1. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has *stored* attacker-controlled scriptless HTML elements (i.e., `iframe` tags with unsanitized `name` attributes) on the destination pages. This vulnerability can result in cross-site scripting (XSS) attacks on websites that built with Astro that enable the client-side routing with `ViewTransitions` and store the user-inserted scriptless HTML tags without properly sanitizing the `name` attributes on the page. Version 4.16.1 contains a patch for this issue."}, {"lang": "es", "value": "El framework web Astro tiene un gadget de DOM Clobbering en el enrutador del lado del cliente a partir de la versi\u00f3n 3.0.0 y antes de la versi\u00f3n 4.16.1. Puede provocar Cross Site Scripting (XSS) en sitios web que habilitan el enrutamiento del lado del cliente de Astro y han *almacenado* elementos HTML sin secuencias de comandos controlados por el atacante (es decir, etiquetas `iframe` con atributos `name` sin sanear) en las p\u00e1ginas de destino. Esta vulnerabilidad puede provocar ataques de Cross Site Scripting (XSS) en sitios web creados con Astro que habilitan el enrutamiento del lado del cliente con `ViewTransitions` y almacenan las etiquetas HTML sin secuencias de comandos insertadas por el usuario sin sanear adecuadamente los atributos `name` en la p\u00e1gina. La versi\u00f3n 4.16.1 contiene un parche para este problema."}], "lastModified": "2025-11-25T13:51:57.327", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "3CF7C254-B4A6-4B46-9FB4-27404BCF3157", "versionEndExcluding": "4.16.1", "versionStartIncluding": "3.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}