CVE-2024-23841

2024-01-3018:15:48

CWE-80

[email protected]

web.nvd.nist.gov

apollo-client-nextjs

apollo client

next.js

xss

cve-2024-23841

nvd

vulnerability

update

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

0.0005 Low

EPSS

Percentile

17.0%

JSON

apollo-client-nextjs is the Apollo Client support for the Next.js App Router. The @apollo/experimental-apollo-client-nextjs NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this vulnerability, an attacker would need to either inject malicious input (e.g. by redirecting a user to a specifically-crafted link) or arrange to have malicious input be returned by a GraphQL server (e.g. by persisting it in a database). To fix this issue, please update to version 0.7.0 or later.

Affected configurations

Vulners

NVD

Node

apollographqlapollo_clientRange<0.7.0

VendorProductVersionCPE
apollographqlapollo_client*cpe:2.3:a:apollographql:apollo_client:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apollographql	apollo_client	*	cpe:2.3:a:apollographql:apollo_client::::::::

CNA Affected

[
  {
    "vendor": "apollographql",
    "product": "apollo-client-nextjs",
    "versions": [
      {
        "version": "< 0.7.0",
        "status": "affected"
      }
    ]
  }
]