{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-19T14:07:50.584","vulnerabilities":[{"cve":{"id":"CVE-2024-47068","sourceIdentifier":"security-advisories@github.com","published":"2024-09-23T16:15:06.947","lastModified":"2024-10-29T16:15:05.583","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Rollup is a module bundler for JavaScript. Versions prior to 2.79.2, 3.29.5, and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from `import.meta` (e.g., `import.meta.url`) in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Versions 2.79.2, 3.29.5, and 4.22.4  contain a patch for the vulnerability."},{"lang":"es","value":"Rollup es un empaquetador de módulos para JavaScript. Las versiones anteriores a 3.29.5 y 4.22.4 son susceptibles a una vulnerabilidad de DOM Clobbering al agrupar scripts con propiedades de `import.meta` (por ejemplo, `import.meta.url`) en formato `cjs`/`umd`/`iife`. El gadget DOM Clobbering puede provocar cross-site scripting (XSS) en páginas web donde hay elementos HTML sin scripts controlados por atacantes (por ejemplo, una etiqueta `img` con un atributo `name` no saneado). Las versiones 3.29.5 y 4.22.4 contienen un parche para la vulnerabilidad."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.7},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:rollupjs:rollup:*:*:*:*:*:node.js:*:*","versionStartIncluding":"0.59.0","versionEndExcluding":"2.79.2","matchCriteriaId":"7812FF87-65ED-493E-B7A2-CE52ED9A264B"},{"vulnerable":true,"criteria":"cpe:2.3:a:rollupjs:rollup:*:*:*:*:*:node.js:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.29.5","matchCriteriaId":"569E13A3-3FB9-4F70-952F-A62469C94088"},{"vulnerable":true,"criteria":"cpe:2.3:a:rollupjs:rollup:*:*:*:*:*:node.js:*:*","versionStartIncluding":"4.0.0","versionEndExcluding":"4.22.4","matchCriteriaId":"3D64745D-7FA0-491E-99ED-346369564D59"}]}]}],"references":[{"url":"https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162","source":"security-advisories@github.com","tags":["Product"]},{"url":"https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185","source":"security-advisories@github.com","tags":["Product"]},{"url":"https://github.com/rollup/rollup/commit/2ef77c00ec2635d42697cff2c0567ccc8db34fb4","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/rollup/rollup/commit/e2552c9e955e0a61f70f508200ee9f752f85a541","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/rollup/rollup/security/advisories/GHSA-gcx4-mw62-g8wm","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}