Description

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. The static error.html template for errors contains placeholders that are replaced without escaping the content first. error.html is the page that is rendered when everything else fails. It can contain the following placeholders: %sveltekit.status% — the HTTP status, and %sveltekit.error.message% — the error message. This leads to possible injection if an app explicitly creates an error with a message that contains user controlled content. Only applications where user provided input is used in the `Error` message will be vulnerable, so the vast majority of applications will not be vulnerable This issue has been addressed in version 2.8.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

INFO

Published Date :

2024-11-25T19:07:20.317Z

Last Modified :

2024-11-25T20:24:05.750Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-53262 vulnerability.

Vendors Products
Svelte
  • Sveltekit
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-53262.

URL Resource
https://github.com/sveltejs/kit/commit/134e36343ef57ed7e6e2b3bb9e7f05ad37865794 cve-icon cve-icon
https://github.com/sveltejs/kit/security/advisories/GHSA-mh2x-fcqh-fmqv cve-icon cve-icon
https://kit.svelte.dev/docs/errors cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact