CVE-2024-53386

low-risk
Published 2025-03-03

Stage.js through 0.8.10 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.

Do I need to act?

-
0.33% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.9/10 Medium
NETWORK / HIGH complexity

Affected Products (1)

Stage.Js

Affected Vendors

Piqnt

References (3)

Exploit https://gist.github.com/jackfromeast/31d56f1ad17673aabb6ab541e65a5534
Product https://github.com/piqnt/stage.js/blob/919f6e94b14242f6e6994141a9e1188439d306d5/...
Exploit https://gist.github.com/jackfromeast/31d56f1ad17673aabb6ab541e65a5534
22
/ 100
low-risk
Severity 16/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal