GitHub Advisory DatabaseGHSA-4VVG-X86P-MVQCLeaking of user information on Cross-Domain communication in sysend
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS
Percentile
49.3%
Impact
Users that use Cross-Origin communication and send sensitive information make it possible for this data to be intercepted.
This is not a big impact because it happens only on the same browser.
Patches
It has been patched in version 1.10.0
Workarounds
The only workaround is to not send sensitive information with sysend messages.
Affected configurations
References
github.com/advisories/GHSA-4vvg-x86p-mvqc
github.com/jcubic/sysend.js/commit/a24f4b776fb18191ae0f7e3d90c2c7bec459431a
github.com/jcubic/sysend.js/issues/33
github.com/jcubic/sysend.js/releases/tag/1.10.0
github.com/jcubic/sysend.js/security/advisories/GHSA-4vvg-x86p-mvqc
nvd.nist.gov/vuln/detail/CVE-2022-24762
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS
Percentile
49.3%