CVE-2023-49293

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-49293
Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`<script type="module">...</script>`), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: 'custom'` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability.

6.1 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97 Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:-:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta0:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta1:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta10:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta11:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta12:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta13:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta14:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta15:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta16:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta17:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta18:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta19:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta2:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta20:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta3:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta4:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta5:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta6:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta7:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta8:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta9:*:*:*:node.js:*:*
History

08 Dec 2023, 17:28

Type Values Removed Values Added
References () https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97 - () https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97 - Exploit, Third Party Advisory
CPE cpe:2.3:a:vitejs:vite:5.0.0:beta6:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta4:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta15:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta20:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta8:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta12:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta17:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta3:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta10:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta16:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta18:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta13:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta5:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta11:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta9:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta7:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta2:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta1:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:-:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta19:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta0:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:5.0.0:beta14:*:*:*:node.js:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.1

04 Dec 2023, 23:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-12-04 23:15

Updated : 2024-02-05 00:22

NVD link : CVE-2023-49293

Mitre link : CVE-2023-49293

CVE.ORG link : CVE-2023-49293

JSON object : View

Products Affected

vitejs

  • vite
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')