CVE-2024-52793 MEDIUM

CVE-2024-52793: XSS vulnerability in serveDir API of @std/http/file-server on POSIX systems

Vendor Denoland

Product std

Weakness CWE-79 · XSS

Published November 22, 2024

Last update November 26, 2024

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

The Deno Standard Library provides APIs for Deno and the Web. Prior to version 1.0.11, `http/file-server`'s `serveDir` with `showDirListing: true` option is vulnerable to cross-site scripting when the attacker is a user who can control file names in the source directory on systems with POSIX file names. Exploitation might also be possible on other systems but less trivial due to e.g. lack of file name support for `<>` in Windows. Version 1.0.11 fixes the issue.

Key dates

02Disclosure timeline

November 22, 2024 CVE published

November 26, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-52793 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2024-52793: XSS vulnerability in serveDir API of @std/http/file-server on POSIX systems

01Description

02Disclosure timeline

03References

04Related CVE