CVE-2022-24762 - OpenCVE

sysend.js is a library that allows a user to send messages between pages that are open in the same browser. Users that use cross-origin communication may have their communications intercepted. Impact is limited by the communication occurring in the same browser. This issue has been patched in sysend.js version 1.10.0. The only currently known workaround is to avoid sending communications that a user does not want to have intercepted via sysend messages.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Jcubic	Sysend
Sysend.js Project	Sysend.js

Configuration 1 [-]

cpe:2.3:a:sysend.js_project:sysend.js:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/jcubic/sysend.js/commit/a24f4b776fb18191ae0f7e3d90c2c7bec459431a
https://github.com/jcubic/sysend.js/issues/33
https://github.com/jcubic/sysend.js/releases/tag/1.10.0
https://github.com/jcubic/sysend.js/security/advisories/GHSA-4vvg-x86p-mvqc

History

Wed, 18 Sep 2024 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jcubic Jcubic sysend
CPEs		cpe:2.3:a:jcubic:sysend::::::::
Vendors & Products		Jcubic Jcubic sysend
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-03-14T22:50:10

Updated: 2024-09-18T14:58:43.275Z

Reserved: 2022-02-10T00:00:00

Link: CVE-2022-24762

Vulnrichment

Updated: 2024-08-03T04:20:49.921Z

NVD

Status : Analyzed

Published: 2022-03-14T23:15:08.427

Modified: 2023-07-03T20:35:28.853

Link: CVE-2022-24762

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "sysend.js", "vendor": "jcubic", "versions": [{"status": "affected", "version": "< 1.10.0"}]}], "descriptions": [{"lang": "en", "value": "sysend.js is a library that allows a user to send messages between pages that are open in the same browser. Users that use cross-origin communication may have their communications intercepted. Impact is limited by the communication occurring in the same browser. This issue has been patched in sysend.js version 1.10.0. The only currently known workaround is to avoid sending communications that a user does not want to have intercepted via sysend messages."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-14T22:50:10", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jcubic/sysend.js/security/advisories/GHSA-4vvg-x86p-mvqc"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/jcubic/sysend.js/issues/33"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/jcubic/sysend.js/commit/a24f4b776fb18191ae0f7e3d90c2c7bec459431a"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/jcubic/sysend.js/releases/tag/1.10.0"}], "source": {"advisory": "GHSA-4vvg-x86p-mvqc", "discovery": "UNKNOWN"}, "title": "Exposure of Sensitive Information to an Unauthorized Actor in sysend.js", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-24762", "STATE": "PUBLIC", "TITLE": "Exposure of Sensitive Information to an Unauthorized Actor in sysend.js"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "sysend.js", "version": {"version_data": [{"version_value": "< 1.10.0"}]}}]}, "vendor_name": "jcubic"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "sysend.js is a library that allows a user to send messages between pages that are open in the same browser. Users that use cross-origin communication may have their communications intercepted. Impact is limited by the communication occurring in the same browser. This issue has been patched in sysend.js version 1.10.0. The only currently known workaround is to avoid sending communications that a user does not want to have intercepted via sysend messages."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}]}, "references": {"reference_data": [{"name": "https://github.com/jcubic/sysend.js/security/advisories/GHSA-4vvg-x86p-mvqc", "refsource": "CONFIRM", "url": "https://github.com/jcubic/sysend.js/security/advisories/GHSA-4vvg-x86p-mvqc"}, {"name": "https://github.com/jcubic/sysend.js/issues/33", "refsource": "MISC", "url": "https://github.com/jcubic/sysend.js/issues/33"}, {"name": "https://github.com/jcubic/sysend.js/commit/a24f4b776fb18191ae0f7e3d90c2c7bec459431a", "refsource": "MISC", "url": "https://github.com/jcubic/sysend.js/commit/a24f4b776fb18191ae0f7e3d90c2c7bec459431a"}, {"name": "https://github.com/jcubic/sysend.js/releases/tag/1.10.0", "refsource": "MISC", "url": "https://github.com/jcubic/sysend.js/releases/tag/1.10.0"}]}, "source": {"advisory": "GHSA-4vvg-x86p-mvqc", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:20:49.921Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/jcubic/sysend.js/security/advisories/GHSA-4vvg-x86p-mvqc"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/jcubic/sysend.js/issues/33"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/jcubic/sysend.js/commit/a24f4b776fb18191ae0f7e3d90c2c7bec459431a"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/jcubic/sysend.js/releases/tag/1.10.0"}]}, {"affected": [{"vendor": "jcubic", "product": "sysend", "cpes": ["cpe:2.3:a:jcubic:sysend:*:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "pkg:npm/sysend@0", "status": "affected", "lessThan": "pkg:npm/sysend@1.10.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-18T14:48:37.565040Z", "id": "CVE-2022-24762", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-18T14:58:43.275Z"}}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-24762", "datePublished": "2022-03-14T22:50:10", "dateReserved": "2022-02-10T00:00:00", "dateUpdated": "2024-09-18T14:58:43.275Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/jcubic/sysend.js/security/advisories/GHSA-4vvg-x86p-mvqc", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/jcubic/sysend.js/issues/33", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/jcubic/sysend.js/commit/a24f4b776fb18191ae0f7e3d90c2c7bec459431a", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/jcubic/sysend.js/releases/tag/1.10.0", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:20:49.921Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-24762", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-18T14:48:37.565040Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:jcubic:sysend:*:*:*:*:*:*:*:*"], "vendor": "jcubic", "product": "sysend", "versions": [{"status": "affected", "version": "pkg:npm/sysend@0", "lessThan": "pkg:npm/sysend@1.10.0", "versionType": "custom"}], "defaultStatus": "affected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-18T14:45:02.717Z"}}], "cna": {"title": "Exposure of Sensitive Information to an Unauthorized Actor in sysend.js", "source": {"advisory": "GHSA-4vvg-x86p-mvqc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "jcubic", "product": "sysend.js", "versions": [{"status": "affected", "version": "< 1.10.0"}]}], "references": [{"url": "https://github.com/jcubic/sysend.js/security/advisories/GHSA-4vvg-x86p-mvqc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/jcubic/sysend.js/issues/33", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/jcubic/sysend.js/commit/a24f4b776fb18191ae0f7e3d90c2c7bec459431a", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/jcubic/sysend.js/releases/tag/1.10.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "sysend.js is a library that allows a user to send messages between pages that are open in the same browser. Users that use cross-origin communication may have their communications intercepted. Impact is limited by the communication occurring in the same browser. This issue has been patched in sysend.js version 1.10.0. The only currently known workaround is to avoid sending communications that a user does not want to have intercepted via sysend messages."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-03-14T22:50:10"}, "x_legacyV4Record": {"impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, "source": {"advisory": "GHSA-4vvg-x86p-mvqc", "discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "< 1.10.0"}]}, "product_name": "sysend.js"}]}, "vendor_name": "jcubic"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/jcubic/sysend.js/security/advisories/GHSA-4vvg-x86p-mvqc", "name": "https://github.com/jcubic/sysend.js/security/advisories/GHSA-4vvg-x86p-mvqc", "refsource": "CONFIRM"}, {"url": "https://github.com/jcubic/sysend.js/issues/33", "name": "https://github.com/jcubic/sysend.js/issues/33", "refsource": "MISC"}, {"url": "https://github.com/jcubic/sysend.js/commit/a24f4b776fb18191ae0f7e3d90c2c7bec459431a", "name": "https://github.com/jcubic/sysend.js/commit/a24f4b776fb18191ae0f7e3d90c2c7bec459431a", "refsource": "MISC"}, {"url": "https://github.com/jcubic/sysend.js/releases/tag/1.10.0", "name": "https://github.com/jcubic/sysend.js/releases/tag/1.10.0", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "sysend.js is a library that allows a user to send messages between pages that are open in the same browser. Users that use cross-origin communication may have their communications intercepted. Impact is limited by the communication occurring in the same browser. This issue has been patched in sysend.js version 1.10.0. The only currently known workaround is to avoid sending communications that a user does not want to have intercepted via sysend messages."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-24762", "STATE": "PUBLIC", "TITLE": "Exposure of Sensitive Information to an Unauthorized Actor in sysend.js", "ASSIGNER": "security-advisories@github.com"}}}}, "cveMetadata": {"cveId": "CVE-2022-24762", "state": "PUBLISHED", "dateUpdated": "2024-09-18T14:58:43.275Z", "dateReserved": "2022-02-10T00:00:00", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-03-14T22:50:10", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sysend.js_project:sysend.js:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "A43EE609-11E5-4F09-852C-915CA49B4597", "versionEndExcluding": "1.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "sysend.js is a library that allows a user to send messages between pages that are open in the same browser. Users that use cross-origin communication may have their communications intercepted. Impact is limited by the communication occurring in the same browser. This issue has been patched in sysend.js version 1.10.0. The only currently known workaround is to avoid sending communications that a user does not want to have intercepted via sysend messages."}, {"lang": "es", "value": "sysend.js es una biblioteca que permite a un usuario enviar mensajes entre p\u00e1ginas que est\u00e1n abiertas en el mismo navegador. Los usuarios que usan la comunicaci\u00f3n entre or\u00edgenes pueden ver interceptadas sus comunicaciones. El impacto est\u00e1 limitado por la comunicaci\u00f3n que es producida en el mismo navegador. Este problema ha sido parcheado en la versi\u00f3n 1.10.0 de sysend.js. La \u00fanica medida de mitigaci\u00f3n conocida actualmente es evitar el env\u00edo de comunicaciones que el usuario no quiere que sean interceptadas por medio de mensajes sysend"}], "id": "CVE-2022-24762", "lastModified": "2023-07-03T20:35:28.853", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-03-14T23:15:08.427", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/jcubic/sysend.js/commit/a24f4b776fb18191ae0f7e3d90c2c7bec459431a"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/jcubic/sysend.js/issues/33"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/jcubic/sysend.js/releases/tag/1.10.0"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/jcubic/sysend.js/security/advisories/GHSA-4vvg-x86p-mvqc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-346"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}