CVE-2024-53388
Published: 03 March 2025
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2024-53388 is a DOM Clobbering vulnerability affecting Mavo version 0.3.2. This flaw allows attackers to execute arbitrary code by supplying a crafted HTML element. The vulnerability is classified under CWE-79 and has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, lack of required privileges, and significant impacts on confidentiality, integrity, and availability.
Remote attackers without authentication can exploit this vulnerability by tricking users into interacting with malicious content, such as loading a webpage or resource that incorporates the crafted HTML element in an environment using Mavo. Successful exploitation leads to arbitrary code execution within the victim's browser context, potentially enabling theft of sensitive data, manipulation of application state, or further compromise of the user's session.
For mitigation details, refer to the advisory at https://gist.github.com/jackfromeast/a61a5429a97985e7ff4c1d39e339d5d8, published on 2025-03-03. Security practitioners should assess deployments using Mavo v0.3.2 and apply any recommended updates or input sanitization to prevent exploitation.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The DOM Clobbering vulnerability in Mavo enables arbitrary code execution in the browser via crafted HTML supplied to a webpage using the library. This directly facilitates drive-by compromise (T1189) by tricking users into loading malicious content and exploitation for client execution (T1203) in a client-side JS environment.