CVE-2024-54138 — MEDIUM (6.1)

Q: How severe is CVE-2024-54138?

CVE-2024-54138 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-54138?

Check the references section above for vendor advisories and patch information. Affected products include: Microsoft Nugetgallery.

Vulnerability Description

NuGet Gallery is a package repository that powers nuget.org. The NuGetGallery has a security vulnerability related to its handling of autolinks in Markdown content. While the platform properly filters out JavaScript from standard links, it does not adequately sanitize autolinks. This oversight allows attackers to exploit autolinks as a vector for Cross-Site Scripting (XSS) attacks. This vulnerability is fixed in 2024.12.06.

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Microsoft	Nugetgallery	< 2024.12.06

Related Weaknesses (CWE)

CWE-79

References

https://github.com/NuGet/NuGetGallery/pull/10296Issue TrackingPatch
https://github.com/NuGet/NuGetGallery/security/advisories/GHSA-x448-p234-x5p8Vendor Advisory

FAQ

What is CVE-2024-54138?

CVE-2024-54138 is a vulnerability with a CVSS score of 6.1 (MEDIUM). NuGet Gallery is a package repository that powers nuget.org. The NuGetGallery has a security vulnerability related to its handling of autolinks in Markdown content. While the platform properly filters...

How severe is CVE-2024-54138?

CVE-2024-54138 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-54138?

Check the references section above for vendor advisories and patch information. Affected products include: Microsoft Nugetgallery.