CVE-2024-45389

MEDIUM EPSS 31.6%
Published Sep 3, 20241y ago · Modified Jun 17, 20262w ago
5.4 CVSS 3.1
Medium
Find Similar
Published Sep 3, 2024 1y ago
Last Modified Jun 17, 2026 2w ago

Description

Pagefind, a fully static search library, initializes its dynamic JavaScript and WebAssembly files relative to the location of the first script the user loads. This information is gathered by looking up the value of `document.currentScript.src`. Prior to Pagefind version 1.1.1, it is possible to "clobber" this lookup with otherwise benign HTML on the page. This will cause `document.currentScript.src` to resolve as an external domain, which will then be used by Pagefind to load dependencies. This exploit would only work in the case that an attacker could inject HTML to a live, hosted, website. In these cases, this would act as a way to escalate the privilege available to an attacker. This assumes they have the ability to add some elements to the page (for example, `img` tags with a `name` attribute), but not others, as adding a `script` to the page would itself be the cross-site scripting vector. Pagefind has tightened this resolution in version 1.1.1 by ensuring the source is loaded from a valid script element. There are no reports of this being exploited in the wild via Pagefind.

CVSS Details

Base Score
5.4
Exploitability
2.3
Impact
2.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
31.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 6

VendorProductVersionRange
pagefindpagefind* <1.1.1
pagefindpagefind1.1.1any
pagefindpagefind1.1.1any
pagefindpagefind1.1.1any
pagefindpagefind1.1.1any
pagefindpagefind1.1.1any

References 3

  • github.com https://github.com/CloudCannon/pagefind/commit/14ec96864eabaf1d7d809d5da0186a8856261eeb
    Patch
  • github.com https://github.com/CloudCannon/pagefind/security/advisories/GHSA-gprj-6m2f-j9hx
    Vendor Advisory
  • github.com https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986
    Not Applicable

Remediation

  • github.com https://github.com/CloudCannon/pagefind/commit/14ec96864eabaf1d7d809d5da0186a8856261eeb
    Patch