CVE-2024-54138 MEDIUM

CVE-2024-54138: XSS Vulnerability in NuGetGallery's Markdown Autolinks Processing

Vendor Nuget
Product NuGetGallery
Weakness CWE-79 · XSS
Published December 6, 2024
Last update December 10, 2024

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

NuGet Gallery is a package repository that powers nuget.org. The NuGetGallery has a security vulnerability related to its handling of autolinks in Markdown content. While the platform properly filters out JavaScript from standard links, it does not adequately sanitize autolinks. This oversight allows attackers to exploit autolinks as a vector for Cross-Site Scripting (XSS) attacks. This vulnerability is fixed in 2024.12.06.

Key dates

02Disclosure timeline

December 6, 2024 CVE published
December 10, 2024 Record updated