CVE-2024-9440 in Selectinfo

Summary

by MITRE • 10/02/2024

Slim Select 2.0 versions through 2.9.0 are affected by a potential cross-site scripting vulnerability. In select.ts:createOption(), the text variable from the user-provided Options object is assigned to an innerHTML without sanitation. Software that depends on this library to dynamically generate lists using unsanitized user-provided input may be vulnerable to cross-site scripting, resulting in attacker executed JavaScript. At this time, no patch is available.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 11/29/2025

The vulnerability identified as CVE-2024-9440 affects the Slim Select JavaScript library version 2.0 through 2.9.0, presenting a critical cross-site scripting risk that stems from improper input sanitization within the select.ts:createOption() function. This flaw allows attackers to inject malicious JavaScript code through user-provided options objects, creating a pathway for arbitrary code execution within the victim's browser context. The vulnerability specifically occurs when the text variable from user-provided options is directly assigned to innerHTML without proper sanitization, bypassing standard security mechanisms that would normally prevent such injections.

The technical implementation of this vulnerability resides in the library's handling of dynamic option generation where user input flows directly into DOM manipulation operations. When applications utilize Slim Select to render dropdown menus or selection lists populated with user-provided data, the createOption() method processes these inputs without validating or sanitizing the text content before incorporating it into the document object model. This pattern creates a classic XSS vector where malicious payloads can be executed within the context of the vulnerable application, potentially leading to session hijacking, data theft, or further exploitation of the user's browser environment.

The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform a wide range of malicious activities including credential theft, defacement of web applications, and establishment of persistent access points through session manipulation. The absence of an available patch at the time of reporting creates an urgent security concern for organizations relying on affected versions of Slim Select, as they face immediate exposure to potential exploitation without the ability to remediate through official updates. This vulnerability particularly affects web applications that dynamically generate selection interfaces using user-supplied data, making it a significant concern for content management systems, admin panels, and any interface that allows user input to influence dropdown or list elements.

Organizations should implement immediate mitigations including input validation and sanitization of all user-provided options before passing them to Slim Select functions, along with implementing content security policies to limit the execution of inline scripts. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws in input handling, and represents a clear violation of secure coding practices outlined in OWASP Top Ten. From an ATT&CK framework perspective, this vulnerability maps to T1059.007 for script injection techniques and T1566 for social engineering through malicious web content, emphasizing the need for comprehensive defensive measures including regular security assessments and dependency monitoring to prevent exploitation of such widespread library vulnerabilities.

Responsible

VulnCheck

Reservation

10/02/2024

Disclosure

10/02/2024

Moderation

accepted

CPE

ready

EPSS

0.00341

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!