admin/nvd-json-data-feeds
1
0
Fork 0
mirror of https://github.com/fkie-cad/nvd-json-data-feeds.git synced 2025-06-07 13:36:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
nvd-json-data-feeds/CVE-2024/CVE-2024-347xx/CVE-2024-34714.json
cad-safe-bot 3836b1b1c3 Auto-Update: 2024-05-19T02:00:29.558564+00:00
2024-05-19 02:03:31 +00:00

71 lines
4.4 KiB
JSON
Raw Blame History

{
"id": "CVE-2024-34714",
"sourceIdentifier": "security-advisories@github.com",
"published": "2024-05-14T16:17:27.623",
"lastModified": "2024-05-14T19:17:55.627",
"vulnStatus": "Awaiting Analysis",
"descriptions": [
{
"lang": "en",
"value": "The Hoppscotch Browser Extension is a browser extension for Hoppscotch, a community-driven end-to-end open-source API development ecosystem. Due to an oversight during a change made to the extension in the commit d4e8e4830326f46ba17acd1307977ecd32a85b58, a critical check for the origin list was missed and allowed for messages to be sent to the extension which the extension gladly processed and responded back with the results of, while this wasn't supposed to happen and be blocked by the origin not being present in the origin list.\n\nThis vulnerability exposes Hoppscotch Extension users to sites which call into Hoppscotch Extension APIs internally. This fundamentally allows any site running on the browser with the extension installed to bypass CORS restrictions if the user is running extensions with the given version. This security hole was patched in the commit 7e364b928ab722dc682d0fcad713a96cc38477d6 which was released along with the extension version `0.35`. As a workaround, Chrome users can use the Extensions Settings to disable the extension access to only the origins that you want. Firefox doesn't have an alternative to upgrading to a fixed version."
},
{
"lang": "es",
"value": "Hoppscotch Browser Extension es una extensi\u00f3n de navegador para Hoppscotch, un ecosistema de desarrollo de API de c\u00f3digo abierto de extremo a extremo impulsado por la comunidad. Debido a un descuido durante un cambio realizado en la extensi\u00f3n en el commit d4e8e4830326f46ba17acd1307977ecd32a85b58, se omiti\u00f3 una verificaci\u00f3n cr\u00edtica de la lista de or\u00edgenes y permiti\u00f3 que se enviaran mensajes a la extensi\u00f3n, los cuales la extensi\u00f3n proces\u00f3 con gusto y respondi\u00f3 con los resultados, mientras que esto no se supon\u00eda que sucediera y fuera bloqueado porque el origen no estaba presente en la lista de or\u00edgenes. Esta vulnerabilidad expone a los usuarios de Hoppscotch Extension a sitios que llaman internamente a las API de Hoppscotch Extension. B\u00e1sicamente, esto permite que cualquier sitio que se ejecute en el navegador con la extensi\u00f3n instalada evite las restricciones de CORS si el usuario est\u00e1 ejecutando extensiones con la versi\u00f3n dada. Este agujero de seguridad se solucion\u00f3 en el commit 7e364b928ab722dc682d0fcad713a96cc38477d6 que se lanz\u00f3 junto con la versi\u00f3n de extensi\u00f3n `0.35`. Como workaround, los usuarios de Chrome pueden usar la Configuraci\u00f3n de extensiones para deshabilitar el acceso de la extensi\u00f3n solo a los or\u00edgenes que deseen. Firefox no tiene otra alternativa que actualizar a una versi\u00f3n fija."
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "security-advisories@github.com",
"type": "Secondary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH"
},
"exploitabilityScore": 2.8,
"impactScore": 4.7
}
]
},
"weaknesses": [
{
"source": "security-advisories@github.com",
"type": "Secondary",
"description": [
{
"lang": "en",
"value": "CWE-354"
}
]
}
],
"references": [
{
"url": "https://github.com/hoppscotch/hoppscotch-extension/commit/7e364b928ab722dc682d0fcad713a96cc38477d6",
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/hoppscotch/hoppscotch-extension/commit/d4e8e4830326f46ba17acd1307977ecd32a85b58",
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/hoppscotch/hoppscotch-extension/security/advisories/GHSA-jjh5-pvqx-gg5v",
"source": "security-advisories@github.com"
},
{
"url": "https://server.yadhu.in/poc/hoppscotch-poc.html",
"source": "security-advisories@github.com"
}
]
}
Reference in New Issue View Git Blame Copy Permalink