Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-qm5v-pj64-852j: Passbolt Api Tabnabbing when opening URI with menu "Open URI in a new tab"

Description

A user could create and share a resource with a malicious URI. When the victim opens with menu “Open URI in a new tab” function, the malicious page has access to the window.opener object.

Impact of issue

The newly opened malicious page can for example change the window.opener.location to redirect the user to a phishing page, or call a JavaScript function served by the AppJS on the user behalf for example to try to affect the integrity of the data.

Fix

The code that opens a new window via window.open(); now open the tab with the noopener attribute.

ghsa
#vulnerability#js#git#java

Skip to content

Navigation Menu

    • Actions

      Automate any workflow

    • Packages

      Host and manage packages

    • Security

      Find and fix vulnerabilities

    • Codespaces

      Instant dev environments

    • Copilot

      Write better code with AI

    • Code review

      Manage code changes

    • Issues

      Plan and track work

    • Discussions

      Collaborate outside of code

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles
  • Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. GHSA-qm5v-pj64-852j

Passbolt Api Tabnabbing when opening URI with menu “Open URI in a new tab”

Moderate severity GitHub Reviewed Published May 20, 2024 to the GitHub Advisory Database • Updated May 20, 2024

Package

composer passbolt/passbolt_api (Composer)

Affected versions

< 2.11.0

Description

Published to the GitHub Advisory Database

May 20, 2024

Last updated

May 20, 2024

ghsa: Latest News

GHSA-hqmp-g7ph-x543: TunnelVision - decloaking VPNs using DHCP