Описание
The React Developer Tools extension registers a message listener with window.addEventListener('message', ) in a content script that is accessible to any webpage that is active in the browser. Within the listener is code that requests a URL derived from the received message via fetch(). The URL is not validated or sanitised before it is fetched, thus allowing a malicious web page to arbitrarily fetch URL’s via the victim's browser.
Ссылки
- PatchThird Party Advisory
- PatchThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 4.28.4 (исключая)
cpe:2.3:a:facebook:react-devtools:*:*:*:*:*:*:*:*
EPSS
Процентиль: 26%
0.00092
Низкий
6.5 Medium
CVSS3
Дефекты
CWE-285
NVD-CWE-noinfo
CWE-116
Связанные уязвимости
CVSS3: 6.5
github
больше 2 лет назад
React Developer Tools extension Improper Authorization vulnerability
EPSS
Процентиль: 26%
0.00092
Низкий
6.5 Medium
CVSS3
Дефекты
CWE-285
NVD-CWE-noinfo
CWE-116