Moderate severityNVD Advisory· Published Sep 26, 2024· Updated Sep 26, 2024
DOM Clobbering gadgets found in layui that lead to Cross-site Scripting
CVE-2024-47075
Description
LayUI is a native minimalist modular Web UI component library. Versions prior to 2.9.17 have a DOM Clobbering vulnerability that can lead to Cross-site Scripting (XSS) on web pages where attacker-controlled HTML elements (e.g., img tags with unsanitized name attributes) are present. Version 2.9.17 fixes this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
layuinpm | < 2.9.17 | 2.9.17 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-j827-6rgf-9629ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-47075ghsaADVISORY
- github.com/layui/layui/commit/f756b41d63bf3d488a2cb042918638c9851bf2b0ghsax_refsource_MISCWEB
- github.com/layui/layui/security/advisories/GHSA-j827-6rgf-9629ghsax_refsource_CONFIRMWEB
- layui.dev/notes/share/security-currentscript.htmlghsaWEB
News mentions
0No linked articles in our index yet.