6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
0.0005 Low
EPSS
Percentile
16.7%
The React Developer Tools extension registers a message listener with window.addEventListener(‘message’, <listener>) in a content script that is accessible to any webpage that is active in the browser. Within the listener is code that requests a URL derived from the received message via fetch(). The URL is not validated or sanitised before it is fetched, thus allowing a malicious web page to arbitrarily fetch URL’s via the victim’s browser.
CPE | Name | Operator | Version |
---|---|---|---|
facebook:react-devtools | facebook react-devtools | lt | 4.28.4 |
[
{
"product": "React Developer Tools Extension",
"vendor": "Meta",
"versions": [
{
"version": "< 4.28.4",
"status": "affected"
}
]
}
]