CVE-2023-49293

Published Dec 4, 2023

Last updated a year ago

CVSS medium 6.1

Overview

Description: Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`<script type="module">...</script>`), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: 'custom'` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability.
Source: security-advisories@github.com
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 6.1
Impact score: 2.7
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Severity: MEDIUM

Weaknesses

security-advisories@github.com: CWE-79

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "794F0A24-E042-454A-8AF4-410CA6B9B7ED",
            "versionEndIncluding": "4.4.11",
            "versionStartIncluding": "4.4.0"
          },
          {
            "criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5035825C-DE1D-4C3E-B80A-B80BAA9B9B83",
            "versionEndIncluding": "5.0.4",
            "versionStartIncluding": "5.0.0"
          },
          {
            "criteria": "cpe:2.3:a:vitejs:vite:5.0.0:-:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "49DB9151-3306-4887-B467-54BF1CB59077"
          },
          {
            "criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta0:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "AD12B845-C230-4731-A1C3-F7C8563EC330"
          },
          {
            "criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta1:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "71B39887-494A-42B0-97B5-3A27BBDA384F"
          },
          {
            "criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta10:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "42748778-8084-4E85-A870-F4938B2B4197"
          },
          {
            "criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta11:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8CEA9A64-2C3B-48CD-B553-1B266E6D98DF"
          },
          {
            "criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta12:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C4335B97-76B1-4B91-BDF1-0DFFB8B5D966"
          },
          {
            "criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta13:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D4393D1C-F71A-4FBB-896E-91F5BDE99F5F"
          },
          {
            "criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta14:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "41F91182-DFB5-4900-967A-3467C1160FD1"
          },
          {
            "criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta15:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E3A2BCC8-1B86-47D9-B1D9-374B3FAF452F"
          },
          {
            "criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta16:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "659D1924-3224-4F96-B88C-1A98909C3129"
          },
          {
            "criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta17:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "239A48C0-7571-46A9-ADF8-8044F89312DB"
          },
          {
            "criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta18:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0DBF0C24-7E51-4E33-B265-872250BAAFFE"
          },
          {
            "criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta19:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "061FD0EC-C333-43A4-B003-0B2C7CC5F377"
          },
          {
            "criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta2:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "CDAA6C11-11F8-466A-910F-CEB4ECA6C2B2"
          },
          {
            "criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta20:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E3FE8672-FB0B-4E18-8830-85A858B4EBCD"
          },
          {
            "criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta3:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9DBA3329-186A-48FD-A1F1-0F0F4487FEB0"
          },
          {
            "criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta4:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A4C137DE-8111-447B-AB2A-5DCF19C1EDE8"
          },
          {
            "criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta5:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1866630A-7067-4B2D-BB66-FA5A49556046"
          },
          {
            "criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta6:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0490F00F-EE92-4A86-A11F-7A81345700AF"
          },
          {
            "criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta7:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F7947662-99E7-42FA-9F5B-FBB84B370E76"
          },
          {
            "criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta8:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DC5DF679-2F1D-4DDC-AD63-D4013D61D5F6"
          },
          {
            "criteria": "cpe:2.3:a:vitejs:vite:5.0.0:beta9:*:*:*:node.js:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D3EE21DD-285A-4B6A-A607-60D4E3842B28"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

References