CVE-2023-49293

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-49293
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-49293.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-49293
Aliases
Related
Published
2023-12-04T23:15:27Z
Modified
2025-02-19T03:34:45.224256Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts (<script type="module">...</script>), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to server.transformIndexHtml. Only apps using appType: 'custom' and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability.

References

Affected packages

Git / github.com/vitejs/vite

Affected ranges

Affected versions

create-vite@4.*

create-vite@4.4.0
create-vite@4.4.1

create-vite@5.*

create-vite@5.0.0

plugin-legacy@4.*

plugin-legacy@4.1.0
plugin-legacy@4.1.1

plugin-legacy@5.*

plugin-legacy@5.0.0
plugin-legacy@5.1.0
plugin-legacy@5.2.0

v4.*

v4.4.0
v4.4.1
v4.4.10
v4.4.11
v4.4.2
v4.4.3
v4.4.4
v4.4.5
v4.4.6
v4.4.7
v4.4.8
v4.4.9

v5.*

v5.0.0
v5.0.1
v5.0.2
v5.0.3
v5.0.4