CVE-2023-5718

MEDIUM

4.3

Beschreibung

The Vue.js Devtools extension was found to leak screenshot data back to a malicious web page via the standard `postMessage()` API. By creating a malicious web page with an iFrame targeting a sensitive resource (i.e. a locally accessible file or sensitive website), and registering a listener on the web page, the extension sent messages back to the listener, containing the base64 encoded screenshot data of the sensitive resource.

CVE Details

CVSS v3.1 Bewertung4.3

SchweregradMEDIUM

CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

AngriffsvektorNETWORK

KomplexitatLOW

Erforderliche PrivilegienNONE

BenutzerinteraktionREQUIRED

Veroffentlicht10/23/2023

Zuletzt geandert11/21/2024

Quellenvd

Honeypot-Sichtungen0

Betroffene Produkte

vuejs:devtools

Schwachen (CWE)

CWE-200CWE-346

Referenzen

https://gist.github.com/CalumHutton/bdb97077a66021ed455f87823cd7c7cb(report@snyk.io)

https://gist.github.com/CalumHutton/bdb97077a66021ed455f87823cd7c7cb(af854a3a-2127-422b-91ae-364da2661108)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.