Lucene search

K
osvGoogleOSV:CVE-2023-28154
HistoryMar 13, 2023 - 1:15 a.m.

CVE-2023-28154

2023-03-1301:15:10
Google
osv.dev
5
webpack
vulnerability
importparserplugin
cross-realm object access
magic comment feature
attacker
untrusted object
software

9.5 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

64.8%

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.