CVE-2023-5654

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions React Developer Tools extension (affected versions not specified)

Description The React Developer Tools extension has a message listener registered with window.addEventListener('message', <listener>) in a content script accessible to any active webpage in the browser. This listener contains code that requests a URL derived from the received message via fetch(). The URL is not validated or sanitized before it is fetched, allowing a malicious webpage to arbitrarily fetch URLs via the victim's browser.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Improper Authorization

Improper Encoding or Escaping of Output

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-285CWE-116

Related Identifiers

CVE-2023-5654

GHSA-RXRC-RGV4-JPVX

Affected Products

React Developer Tools

CVE-2023-5654

Weakness Enumeration

Related Identifiers

Affected Products

References · 11