The React Developer Tools extension registers a message listener with window.addEventListener('message', <listener>) in a content script that is accessible to any webpage that is active in the browser. Within the listener is code that requests a URL derived from the received message via fetch(). The URL is not validated or sanitised before it is fetched, thus allowing a malicious web page to arbitrarily fetch URL’s via the victim's browser.
History

Thu, 12 Sep 2024 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-116

cve-icon MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2023-10-19T14:28:23.769Z

Updated: 2024-09-12T14:35:37.964Z

Reserved: 2023-10-19T12:33:43.948Z

Link: CVE-2023-5654

cve-icon Vulnrichment

Updated: 2024-08-02T08:07:32.588Z

cve-icon NVD

Status : Modified

Published: 2023-10-19T15:15:09.973

Modified: 2024-09-12T15:35:44.870

Link: CVE-2023-5654

cve-icon Redhat

No data.