Cross-site Scripting (XSS) Affecting automation-controller package, versions *


Severity

Recommended
0.0
medium
0
10

Based on Red Hat Enterprise Linux security rating.

Threat Intelligence

EPSS
0.01% (2nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cross-site Scripting (XSS) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-RHEL10-AUTOMATIONCONTROLLER-9899133
  • published29 Apr 2025
  • disclosed23 Sept 2024

Introduced: 23 Sep 2024

CVE-2024-47068  (opens in a new tab)
CWE-79  (opens in a new tab)

How to fix?

There is no fixed version for RHEL:10 automation-controller.

NVD Description

Note: Versions mentioned in the description apply only to the upstream automation-controller package and not the automation-controller package as distributed by RHEL. See How to fix? for RHEL:10 relevant fixed versions and status.

Rollup is a module bundler for JavaScript. Versions prior to 2.79.2, 3.29.5, and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from import.meta (e.g., import.meta.url) in cjs/umd/iife format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. Versions 2.79.2, 3.29.5, and 4.22.4 contain a patch for the vulnerability.

CVSS Base Scores

version 3.1