Lucene search

[email protected]NVD:CVE-2022-24072

HistoryMar 17, 2022 - 6:15 a.m.

CVE-2022-24072

2022-03-1706:15:06

CWE-269

[email protected]

web.nvd.nist.gov

cve-2022-24072

extension store web page

javascript injection

developer tool

download and upload

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

31.3%

JSON

The devtools API in Whale browser before 3.12.129.18 allowed extension developers to inject arbitrary JavaScript into the extension store web page via devtools.inspectedWindow, leading to extensions downloading and uploading when users open the developer tool.

Affected configurations

Nvd

Node

navercorpwhaleRange<3.12.129.18

VendorProductVersionCPE
navercorpwhale*cpe:2.3:a:navercorp:whale:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
navercorp	whale	*	cpe:2.3:a:navercorp:whale::::::::

References

cve.naver.com/detail/cve-2022-24072

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

31.3%

JSON

Related for NVD:CVE-2022-24072

prion1 cnvd1 cvelist1 cve1