CVE-2024-6783: 
JavaScript vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability has been identified in Vue versions 2.0.0 to 3.0.0, specifically within the Vue 2 template compiler present in the "full build" of Vue. The vulnerability (CVE-2024-6783) was discovered in July 2024 and allows attackers to perform XSS via prototype pollution (HeroDevs, GitHub Advisory).

The vulnerability exists in the in-browser Vue template compiler which is responsible for creating executable code from component templates. The issue stems from the AST Codegen pathway relying on properties that are initially unset, where properties are eventually consumed by a function that stringifies values and passes them to an eval statement during render. The attacker could change the prototype chain of properties such as Object.prototype.staticClass or Object.prototype.staticStyle to execute arbitrary JavaScript code. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (NVD).

This vulnerability allows attackers to inject malicious scripts into otherwise benign and trusted websites. When successfully exploited, an attacker can send malicious scripts to unsuspecting users, potentially leading to unauthorized code execution in the victim's browser (HeroDevs).

Since Vue 2 has reached End-of-Life, users of the affected components should either migrate to Vue 3, which contains the fix for this vulnerability, or leverage a commercial support partner like HeroDevs for post-EOL security support. The vulnerability has been patched in Vue NES v2.6.17 and v2.7.19 (HeroDevs).