CVE-2024-45811

MEDIUM Year: 2024
CVSS v3 Score
4.8
Medium
Weakness Type
CWE-200
View all →

Vulnerability Description

Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Related Vulnerabilities

CVE-2016-5696

MEDIUM
CVSS:4.8(Medium)

net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly determine the rate of challenge ACK segments, which makes it easier for remote attackers to hijack TCP sessions via a blind in-win...

CWE-2002016

CVE-2017-3742

MEDIUM
CVSS:4.8(Medium)

In Lenovo Connect2 versions earlier than 4.2.5.4885 for Windows and 4.2.5.3071 for Android, when an ad-hoc connection is made between two systems for the purpose of sharing files, the password for thi...

CWE-2002017

CVE-2018-10229

MEDIUM
CVSS:4.8(Medium)

A hardware vulnerability in GPU memory modules allows attackers to accelerate micro-architectural attacks through the use of the JavaScript WebGL API.

CWE-2002018

CVE-2021-3688

MEDIUM
CVSS:4.8(Medium)

A flaw was found in Red Hat JBoss Core Services HTTP Server in all versions, where it does not properly normalize the path component of a request URL contains dot-dot-semicolon(s). This flaw could all...

CWE-2002021

CVE-2022-0722

MEDIUM
CVSS:4.8(Medium)

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository ionicabizau/parse-url prior to 7.0.0.

CWE-2002022

CVE-2023-49292

MEDIUM
CVSS:4.8(Medium)

ecies is an Elliptic Curve Integrated Encryption Scheme for secp256k1 in Golang. If funcations Encapsulate(), Decapsulate() and ECDH() could be called by an attacker, they could recover any private ke...

CWE-2002023