Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-rxrc-rgv4-jpvx: React Developer Tools extension Improper Authorization vulnerability

The React Developer Tools extension registers a message listener with window.addEventListener('message’, <listener>) in a content script that is accessible to any webpage that is active in the browser. Within the listener is code that requests a URL derived from the received message via fetch(). The URL is not validated or sanitised before it is fetched, thus allowing a malicious web page to arbitrarily fetch URL’s via the victim’s browser.

ghsa
Open in Source
#vulnerability#web#git#auth

React Developer Tools extension Improper Authorization vulnerability

Moderate severity GitHub Reviewed Published Oct 19, 2023 to the GitHub Advisory Database • Updated Oct 20, 2023

Related news

CVE-2023-5654: React Developer Tools v4.27.8 Arbitrary URL Fetch via Malicious Web Page

The React Developer Tools extension registers a message listener with window.addEventListener('message', <listener>) in a content script that is accessible to any webpage that is active in the browser. Within the listener is code that requests a URL derived from the received message via fetch(). The URL is not validated or sanitised before it is fetched, thus allowing a malicious web page to arbitrarily fetch URL’s via the victim's browser.

ghsa: Latest News

GHSA-pxg6-pf52-xh8x: cookie accepts cookie name, path, and domain with out of bounds characters
ghsa