SB2024112552 - Cross-site scripting in Deno

Description

This security bulletin contains information about 1 vulnerability.

1) Cross-site scripting (CVE-ID: CVE-2024-32468)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary script in the generated documentation page.

The vulnerability exists due to cross-site scripting in the deno_doc HTML generator when generating HTML documentation from crafted package content. A remote user can include unsanitized names or HTML content in documented code to execute arbitrary script in the generated documentation page.

User interaction is required to open or view the generated documentation.

Remediation

Install update from vendor's website.

References

• https://github.com/denoland/deno/security/advisories/GHSA-qqwr-j9mm-fhw6
• https://github.com/advisories/GHSA-qqwr-j9mm-fhw6