Home > Vulnerability Database > CVE-2024-11023

Mend.io Vulnerability Database

CVE-2024-11023

Good to know:

Date: November 18, 2024

Firebase JavaScript SDK utilizes a "FIREBASE_DEFAULTS" cookie to store configuration data, including an "_authTokenSyncURL" field used for session synchronization. If this cookie field is preset via an attacker by any other method, the attacker can manipulate the "_authTokenSyncURL" to point to their own server and it would allow an actor to capture user session data transmitted by the SDK. We recommend upgrading Firebase JS SDK at least to 10.9.0.

Language: C++

Severity Score

5.3

Related Resources (6)

Url: https://github.com/firebase/firebase-js-sdk/commit/245dd26e19b6c16aca7e1b7e597ed5784c2984ba

Url: https://github.com/firebase/firebase-js-sdk/pull/8056

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-11023

Url: https://firebase.google.com/support/release-notes/js#version_1090_-_march_14_2024

Url: https://github.com/firebase/firebase-js-sdk

Url: https://www.mend.io/vulnerability-database/CVE-2024-11023

Severity Score

5.3

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

Upgrade Version

Upgrade to version firebase - 10.9.0;firebase - 10.9.0

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-11023

Good to know:

Date: November 18, 2024

Language: C++

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?