CVE-2024-21541

Summary

Versions of the package dom-iterator before 1.0.1 are vulnerable to Arbitrary Code Execution due to use of the Function constructor without complete input sanitization. Function generates a new function body and thus care must be given to ensure that the inputs to Function are not attacker-controlled. The risks involved are similar to that of allowing attacker-controlled input to reach eval.

Affected Software

VendorProductVersion RangeStatus
n/adom-iterator0 < 1.0.1affected
n/aorg.webjars.npm:dom-iterator0 < *affected

Weaknesses

  • CWE-94: Arbitrary Code Execution

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References