Vulnerability DatabaseCVE-2023-5654
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2023-5654
October 19, 2023
The React Developer Tools extension registers a message listener with window.addEventListener('message', <listener>) in a content script that is accessible to any webpage that is active in the browser. Within the listener is code that requests a URL derived from the received message via fetch(). The URL is not validated or sanitised before it is fetched, thus allowing a malicious web page to arbitrarily fetch URL’s via the victim's browser.
Related Resources (6)
https://github.com/facebook/react/commit/09285d5a7f1c08bec09f44cec3d0518a603597fc
https://github.com/facebook/react/pull/27417
https://nvd.nist.gov/vuln/detail/CVE-2023-5654
https://gist.github.com/CalumHutton/1fb89b64409570a43f89d1fd3274b231
https://github.com/facebook/react/commit/94d5b5b2bf5204ebd289a113989c0e2c51b626ef
https://github.com/facebook/react
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
LOW
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
LOW
Weakness Type (CWE)
Improper Authorization
CWE-285
Improper Encoding or Escaping of Output
CWE-116
EPSS
Base Score:
0.09