CVE-2024-42515: 
JavaScript vulnerability analysis and mitigation

CVE-2024-42515 affects Glossarizer through version 1.5.2, a jQuery plugin for creating glossaries. The vulnerability was discovered in March 2024 and publicly disclosed in October 2024. The issue stems from improper text-to-HTML conversion where the application's special character escaping is bypassed by the underlying library (USD Advisory, NVD).

The vulnerability occurs in the jquery.glossarize.js file's .html() function. While the application itself attempts to escape special characters (like <>) properly, the underlying library converts these encoded characters back into legitimate HTML. This bypass of the sanitization mechanism enables stored Cross-Site Scripting (XSS) attacks. The vulnerability has been assigned a CVSS v3.1 base score of 9.9 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L (USD Advisory).

The vulnerability allows attackers to execute arbitrary JavaScript code by appending XSS payloads to words that have corresponding glossary entries. When the malicious content is processed by the library, it gets converted into active HTML, potentially leading to client-side code execution in the context of other users' browsers (USD Advisory).

As of the latest reports, no official fix has been released. The USD Advisory suggests replacing the .html() function and implementing proper escaping of special characters before injecting HTML into the page. Users of Glossarizer should assess the risk and consider implementing additional input sanitization or exploring alternative solutions (USD Advisory).

The vulnerability was discovered by Kai Glauber and Samir Benzammour of usd AG. Multiple attempts to contact the developers were unsuccessful, leading to the public disclosure of the vulnerability without a patch. The repository was subsequently set to private, though the package remains available on npm (USD Advisory).