CVE-2024-23841

2024-01-3018:15:48

Google

osv.dev

cve-2024-23841

cross-site scripting

apollo client

next.js

update

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

6.1 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.0%

JSON

apollo-client-nextjs is the Apollo Client support for the Next.js App Router. The @apollo/experimental-apollo-client-nextjs NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this vulnerability, an attacker would need to either inject malicious input (e.g. by redirecting a user to a specifically-crafted link) or arrange to have malicious input be returned by a GraphQL server (e.g. by persisting it in a database). To fix this issue, please update to version 0.7.0 or later.

CPENameOperatorVersion
apollo-clienteq0.3.10
apollo-clienteq0.5.22
apollo-clienteq0.3.3
apollo-clienteq0.4.5
apollo-clienteq0.2.1
apollo-clienteq0.4.6
apollo-clienteq0.2.2
apollo-clienteq0.4.2
apollo-clienteq0.5.1
apollo-clienteq0.4.0

Name	Operator	Version
apollo-client	eq	0.3.10
apollo-client	eq	0.5.22
apollo-client	eq	0.3.3
apollo-client	eq	0.4.5
apollo-client	eq	0.2.1
apollo-client	eq	0.4.6
apollo-client	eq	0.2.2
apollo-client	eq	0.4.2
apollo-client	eq	0.5.1
apollo-client	eq	0.4.0