CVE-2023-40580 HIGH

CVE-2023-40580: Freighter mnemonic phrase may be accessed by Javascript through a private API

Vendor Stellar

Product freighter

Weakness CWE-200 · Info exposure

Published August 25, 2023

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

8.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

Description

Freighter is a Stellar chrome extension. It may be possible for a malicious website to access the recovery mnemonic phrase when the Freighter wallet is unlocked. This vulnerability impacts access control to the mnemonic recovery phrase. This issue was patched in version 5.3.1.

Key dates

Disclosure timeline

August 25, 2023 CVE published

August 2, 2024 Record updated