PT-2023-32240 · Facebook · React Developer Tools

Calumhutton

Publicado

2023-10-19

Atualizado

2024-09-12

CVE-2023-5654

CVSS v4.0

6.9

Média

Vetor

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions React Developer Tools extension (affected versions not specified)

Description The React Developer Tools extension has a message listener registered with window.addEventListener('message', <listener>) in a content script accessible to any active webpage in the browser. This listener contains code that requests a URL derived from the received message via fetch(). The URL is not validated or sanitized before it is fetched, allowing a malicious webpage to arbitrarily fetch URLs via the victim's browser.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Improper Authorization

Improper Encoding or Escaping of Output

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-285CWE-116

Identificadores relacionados

CVE-2023-5654

GHSA-RXRC-RGV4-JPVX

Produtos afetados

React Developer Tools

PT-2023-32240 · Facebook · React Developer Tools

CVE-2023-5654

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 11