GHSA-fp3m-g5rc-4c28

Suggest an improvement
Source
https://github.com/advisories/GHSA-fp3m-g5rc-4c28
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-fp3m-g5rc-4c28/GHSA-fp3m-g5rc-4c28.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-fp3m-g5rc-4c28
Aliases
Published
2025-03-03T09:30:34Z
Modified
2025-06-30T12:51:24Z
Severity
  • 4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Stage.js DOM Clobbering vulnerabilty
Details

Stage.js through 0.8.10 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.

Database specific 
{
    "github_reviewed_at": "2025-03-03T20:17:21Z",
    "cwe_ids": [
        "CWE-79",
        "CWE-94"
    ],
    "nvd_published_at": "2025-03-03T07:15:34Z",
    "severity": "MODERATE",
    "github_reviewed": true
}
References

Affected packages

npm / stage-js

Package

Name
stage-js
View open source insights on deps.dev
Purl
pkg:npm/stage-js

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.8.10