CVE-2024-11023

Опубликовано: 18 нояб. 2024

Источник: nvd

CVSS3: 6.1

CVSS3: 5.3

EPSS Низкий

Описание

Firebase JavaScript SDK utilizes a "FIREBASE_DEFAULTS" cookie to store configuration data, including an "_authTokenSyncURL" field used for session synchronization. If this cookie field is preset via an attacker by any other method, the attacker can manipulate the "_authTokenSyncURL" to point to their own server and it would allow an actor to capture user session data transmitted by the SDK. We recommend upgrading Firebase JS SDK at least to 10.9.0.

Ссылки

https://firebase.google.com/support/release-notes/js#version_1090_-_march_14_2024
Release Notes
https://github.com/firebase/firebase-js-sdk/pull/8056
Issue Tracking
Patch

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:google:firebase_javascript_sdk:*:*:*:*:*:*:*:*

Версия до 10.9.0 (исключая)

EPSS

Процентиль: 29%

0.00107

Низкий

6.1 Medium

CVSS3

5.3 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-3wf4-68gx-mph8

CVSS3: 5.3

github

около 1 года назад

Firebase JavaScript SDK allows attackers to manipulate the "_authTokenSyncURL" to point to their own server

EPSS

Процентиль: 29%

0.00107

Низкий

6.1 Medium

CVSS3

5.3 Medium

CVSS3

Дефекты

CWE-79