CVE-2024-21541

Published: Nov 13, 2024

Modified: Jan 16, 2025

PUBLISHED

CVSS v3.1

7.3

HIGH

Description

Versions of the package dom-iterator before 1.0.1 are vulnerable to Arbitrary Code Execution due to use of the Function constructor without complete input sanitization. Function generates a new function body and thus care must be given to ensure that the inputs to Function are not attacker-controlled. The risks involved are similar to that of allowing attacker-controlled input to reach eval.

Vendor	Product	Versions
n/a	dom-iterator	affected `0 - < 1.0.1`
n/a	org.webjars.npm:dom-iterator	affected `0 - < *`

Weaknesses (CWE)

CWE-94

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

References

https://security.snyk.io/vuln/SNYK-JS-DOMITERATOR-6157199

https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8383166

https://github.com/matthewmueller/dom-iterator/commit/9e0e0fad5a251de5b42feb326c4204eb04080805

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-21541

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References