Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-53we-mdcx-bbfr
Vulnerability ID VCID-53we-mdcx-bbfr
Aliases CVE-2024-45812
GHSA-64vr-g452-qvp3
Summary Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to contain a DOM Clobbering vulnerability when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. We have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to `cjs`, `iife`, or `umd`. In such cases, Vite replaces relative paths starting with `__VITE_ASSET__` using the URL retrieved from `document.currentScript`. However, this implementation is vulnerable to a DOM Clobbering attack. The `document.currentScript` lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server. This vulnerability can result in cross-site scripting (XSS) attacks on websites that include Vite-bundled files (configured with an output format of `cjs`, `iife`, or `umd`) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 6.4 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-45812.json
epss 0.00256 https://api.first.org/data/v1/epss?cve=CVE-2024-45812
epss 0.00256 https://api.first.org/data/v1/epss?cve=CVE-2024-45812
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-64vr-g452-qvp3
cvssv3.1 6.4 https://github.com/vitejs/vite
cvssv4 4.8 https://github.com/vitejs/vite
generic_textual MODERATE https://github.com/vitejs/vite
cvssv3.1 6.4 https://github.com/vitejs/vite/commit/179b17773cf35c73ddb041f9e6c703fd9f3126af
cvssv4 4.8 https://github.com/vitejs/vite/commit/179b17773cf35c73ddb041f9e6c703fd9f3126af
generic_textual MODERATE https://github.com/vitejs/vite/commit/179b17773cf35c73ddb041f9e6c703fd9f3126af
cvssv3.1 6.4 https://github.com/vitejs/vite/commit/2691bb3ff6b073b41fb9046909e1e03a74e36675
cvssv4 4.8 https://github.com/vitejs/vite/commit/2691bb3ff6b073b41fb9046909e1e03a74e36675
generic_textual MODERATE https://github.com/vitejs/vite/commit/2691bb3ff6b073b41fb9046909e1e03a74e36675
cvssv3.1 6.4 https://github.com/vitejs/vite/commit/2ddd8541ec3b2d2e5b698749e0f2362ef28056bd
cvssv4 4.8 https://github.com/vitejs/vite/commit/2ddd8541ec3b2d2e5b698749e0f2362ef28056bd
generic_textual MODERATE https://github.com/vitejs/vite/commit/2ddd8541ec3b2d2e5b698749e0f2362ef28056bd
cvssv3.1 6.4 https://github.com/vitejs/vite/commit/ade1d89660e17eedfd35652165b0c26905259fad
cvssv4 4.8 https://github.com/vitejs/vite/commit/ade1d89660e17eedfd35652165b0c26905259fad
generic_textual MODERATE https://github.com/vitejs/vite/commit/ade1d89660e17eedfd35652165b0c26905259fad
ssvc Track https://github.com/vitejs/vite/commit/ade1d89660e17eedfd35652165b0c26905259fad
cvssv3.1 6.4 https://github.com/vitejs/vite/commit/e8127166979e7ace6eeaa2c3b733c8994caa31f3
cvssv4 4.8 https://github.com/vitejs/vite/commit/e8127166979e7ace6eeaa2c3b733c8994caa31f3
generic_textual MODERATE https://github.com/vitejs/vite/commit/e8127166979e7ace6eeaa2c3b733c8994caa31f3
cvssv3.1 6.4 https://github.com/vitejs/vite/commit/ebb94c5b3bf41950f45562595adec117a4d0ba5e
cvssv4 4.8 https://github.com/vitejs/vite/commit/ebb94c5b3bf41950f45562595adec117a4d0ba5e
generic_textual MODERATE https://github.com/vitejs/vite/commit/ebb94c5b3bf41950f45562595adec117a4d0ba5e
cvssv3.1 6.4 https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3
cvssv3.1_qr MODERATE https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3
cvssv4 4.8 https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3
generic_textual MODERATE https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3
ssvc Track https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3
cvssv3.1 6.4 https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986
cvssv4 4.8 https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986
generic_textual MODERATE https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986
ssvc Track https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986
cvssv3.1 6.4 https://nvd.nist.gov/vuln/detail/CVE-2024-45812
cvssv4 4.8 https://nvd.nist.gov/vuln/detail/CVE-2024-45812
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2024-45812
cvssv3.1 6.4 https://research.securitum.com/xss-in-amp4email-dom-clobbering
cvssv4 4.8 https://research.securitum.com/xss-in-amp4email-dom-clobbering
generic_textual MODERATE https://research.securitum.com/xss-in-amp4email-dom-clobbering
ssvc Track https://research.securitum.com/xss-in-amp4email-dom-clobbering
cvssv3.1 6.4 https://scnps.co/papers/sp23_domclob.pdf
cvssv4 4.8 https://scnps.co/papers/sp23_domclob.pdf
generic_textual MODERATE https://scnps.co/papers/sp23_domclob.pdf
ssvc Track https://scnps.co/papers/sp23_domclob.pdf
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-45812.json
https://api.first.org/data/v1/epss?cve=CVE-2024-45812
https://github.com/vitejs/vite
https://github.com/vitejs/vite/commit/179b17773cf35c73ddb041f9e6c703fd9f3126af
https://github.com/vitejs/vite/commit/2691bb3ff6b073b41fb9046909e1e03a74e36675
https://github.com/vitejs/vite/commit/2ddd8541ec3b2d2e5b698749e0f2362ef28056bd
https://github.com/vitejs/vite/commit/e8127166979e7ace6eeaa2c3b733c8994caa31f3
https://github.com/vitejs/vite/commit/ebb94c5b3bf41950f45562595adec117a4d0ba5e
2312935 https://bugzilla.redhat.com/show_bug.cgi?id=2312935
ade1d89660e17eedfd35652165b0c26905259fad https://github.com/vitejs/vite/commit/ade1d89660e17eedfd35652165b0c26905259fad
CVE-2024-45812 https://nvd.nist.gov/vuln/detail/CVE-2024-45812
GHSA-4vvj-4cpr-p986 https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986
GHSA-64vr-g452-qvp3 https://github.com/advisories/GHSA-64vr-g452-qvp3
GHSA-64vr-g452-qvp3 https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3
RHSA-2024:10917 https://access.redhat.com/errata/RHSA-2024:10917
RHSA-2024:10962 https://access.redhat.com/errata/RHSA-2024:10962
sp23_domclob.pdf https://scnps.co/papers/sp23_domclob.pdf
xss-in-amp4email-dom-clobbering https://research.securitum.com/xss-in-amp4email-dom-clobbering
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-45812.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/vitejs/vite
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/vitejs/vite
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/vitejs/vite/commit/179b17773cf35c73ddb041f9e6c703fd9f3126af
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/vitejs/vite/commit/179b17773cf35c73ddb041f9e6c703fd9f3126af
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/vitejs/vite/commit/2691bb3ff6b073b41fb9046909e1e03a74e36675
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/vitejs/vite/commit/2691bb3ff6b073b41fb9046909e1e03a74e36675
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/vitejs/vite/commit/2ddd8541ec3b2d2e5b698749e0f2362ef28056bd
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/vitejs/vite/commit/2ddd8541ec3b2d2e5b698749e0f2362ef28056bd
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/vitejs/vite/commit/ade1d89660e17eedfd35652165b0c26905259fad
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/vitejs/vite/commit/ade1d89660e17eedfd35652165b0c26905259fad
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T13:57:07Z/ Found at https://github.com/vitejs/vite/commit/ade1d89660e17eedfd35652165b0c26905259fad
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/vitejs/vite/commit/e8127166979e7ace6eeaa2c3b733c8994caa31f3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/vitejs/vite/commit/e8127166979e7ace6eeaa2c3b733c8994caa31f3
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/vitejs/vite/commit/ebb94c5b3bf41950f45562595adec117a4d0ba5e
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/vitejs/vite/commit/ebb94c5b3bf41950f45562595adec117a4d0ba5e
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T13:57:07Z/ Found at https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T13:57:07Z/ Found at https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-45812
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-45812
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H Found at https://research.securitum.com/xss-in-amp4email-dom-clobbering
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://research.securitum.com/xss-in-amp4email-dom-clobbering
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T13:57:07Z/ Found at https://research.securitum.com/xss-in-amp4email-dom-clobbering
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H Found at https://scnps.co/papers/sp23_domclob.pdf
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://scnps.co/papers/sp23_domclob.pdf
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T13:57:07Z/ Found at https://scnps.co/papers/sp23_domclob.pdf
Exploit Prediction Scoring System (EPSS)
Percentile 0.49289
EPSS Score 0.00256
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-10T18:32:27.505048+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2024/45xxx/CVE-2024-45812.json 38.6.0