CVE-2024-32468 MEDIUM

CVE-2024-32468: Improper neutralization of input during web page generation ("Cross-site Scripting") in deno_doc HTML generator

Vendor Denoland
Product deno
Weakness CWE-79 · XSS
Published November 25, 2024
Last update November 25, 2024

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Deno is a runtime for JavaScript and TypeScript written in rust. Several cross-site scripting vulnerabilities existed in the `deno_doc` crate which lead to Self-XSS with deno doc --html. 1.) XSS in generated `search_index.js`, `deno_doc` outputs a JavaScript file for searching. However, the generated file used `innerHTML` on unsanitzed HTML input. 2.) XSS via property, method and enum names, `deno_doc` did not sanitize property names, method names and enum names. The first XSS most likely didn't have an impact since `deno doc --html` is expected to be used locally with own packages.

Key dates

02Disclosure timeline

November 25, 2024 CVE published
November 25, 2024 Record updated