CVE-2024-47075: 
JavaScript vulnerability analysis and mitigation

LayUI, a native minimalist modular Web UI component library, was found to contain a DOM Clobbering vulnerability in versions prior to 2.9.17. The vulnerability could lead to Cross-site Scripting (XSS) on web pages where attacker-controlled HTML elements, such as img tags with unsanitized name attributes, are present. The issue was discovered and disclosed in September 2024, with version 2.9.17 containing the fix (GitHub Advisory).

The vulnerability is classified as DOM Clobbering, a code-reuse attack where attackers embed non-script, seemingly benign HTML markups in the webpage and leverage existing JavaScript code snippets to transform them into executable code. The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (Medium), with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H. The weakness is categorized as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

This vulnerability can result in cross-site scripting (XSS) attacks on websites that use the LayUI library and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes. The impact affects confidentiality and integrity at a low level, while availability impact is considered high (GitHub Advisory).

The vulnerability has been patched in LayUI version 2.9.17. Users are advised to upgrade to this version or later to mitigate the risk. The official fix announcement can be found on the LayUI developer portal (GitHub Advisory).