CVE-2024-51757

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Published: Nov 6, 2024 / Updated: 13d ago

010
CVSS 9.3EPSS 0.04%Critical
CVE info copied to clipboard

Summary

happy-dom, a JavaScript implementation of a web browser without its graphical user interface, contains a vulnerability in versions prior to 15.10.2 that may allow code execution on the host via a script tag. This execution would occur in the user context of happy-dom.

Impact

This vulnerability could allow an attacker to execute arbitrary code within the context of happy-dom. The severity is critical, with a CVSS base score of 9.3. The attack vector is network-based, requires low complexity, and needs no user interaction or privileges, making it relatively easy to exploit. The vulnerability highly impacts the confidentiality, integrity, and availability of the vulnerable system. For a security team, this means that any systems using vulnerable versions of happy-dom are at significant risk of compromise, potentially leading to data breaches, system manipulation, or service disruptions.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Users are advised to upgrade to version 15.10.2 of happy-dom.

Mitigation

The primary mitigation is to upgrade to the patched version 15.10.2 of happy-dom. There are no known workarounds for this vulnerability, making the upgrade crucial for security. Given the severity (CVSS score 9.3 - Critical) and ease of exploitation, this should be prioritized very highly in patching efforts. Security teams should immediately identify all instances of happy-dom in their environment, prioritize systems exposed to network access, and schedule urgent updates to version 15.10.2.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

CVE Assignment

NVD published the first details for CVE-2024-51757

Nov 6, 2024 at 8:15 PM
CVSS

A CVSS base score of 9.3 has been assigned.

Nov 6, 2024 at 8:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-51757. See article

Nov 6, 2024 at 8:21 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 6, 2024 at 8:24 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 11.3%)

Nov 7, 2024 at 10:05 AM
Vendor Advisory

RedHat CVE advisory released a security advisory (CVE-2024-51757).

Nov 8, 2024 at 2:35 PM
CVSS

A CVSS base score of 9.3 has been assigned.

Nov 8, 2024 at 7:05 PM / nvd
Static CVE Timeline Graph

Affected Systems

Github/github
+null more

Patches

bugzilla.redhat.com
+null more

Attack Patterns

CAPEC-209: XSS Using MIME Type Mismatch
+null more

Vendor Advisory

CVE-2024-51757
CVE Id: CVE-2024-51757 Release Date: 2024-11-06 Update Date: 2024-11-08 Impact Critical CVSS Base Score: 9.8 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description happy-dom is a JavaScript implementation of a web browser without its graphical user interface. Versions of happy-dom prior to 15.10.2 may execute code on the host via a script tag. This would execute code in the user context of happy-dom. Users are advised to upgrade to version 15.10.2. There are no known workarounds for this vulnerability.

News

CVE-2024-51757
CVE Id: CVE-2024-51757 Release Date: 2024-11-06 Update Date: 2024-11-08 Impact Critical CVSS Base Score: 9.8 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description happy-dom is a JavaScript implementation of a web browser without its graphical user interface. Versions of happy-dom prior to 15.10.2 may execute code on the host via a script tag. This would execute code in the user context of happy-dom. Users are advised to upgrade to version 15.10.2. There are no known workarounds for this vulnerability.
CVE-2024-51757
This would execute code in the user context of happy-dom. Versions of happy-dom prior to 15.10.2 may execute code on the host via a script tag.
NA - CVE-2024-51757 - happy-dom is a JavaScript implementation of a...
happy-dom is a JavaScript implementation of a web browser without its graphical user interface. Versions of happy-dom prior to 15.10.2 may execute code on the host via a script tag. This would...
CVE-2024-51757 - GitHub Advisory Database
CVE-2024-51757 - GitHub Advisory Database
CVE-2024-51757 - Fixes security vulnerability that allowed for server side code to be ...
happy-dom is a JavaScript implementation of a web browser without its graphical user interface. Versions of happy-dom prior to 15.10.1 may execute ...
See 8 more articles and social media posts

CVSS V3.1

Unknown

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI