CVE-2023-5654 MEDIUM

CVE-2023-5654

Vendor Meta
Product React Developer Tools Extension
Weakness CWE-285
Published October 19, 2023
Last update September 12, 2024
View on NVD All CVEs

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

The React Developer Tools extension registers a message listener with window.addEventListener('message', <listener>) in a content script that is accessible to any webpage that is active in the browser. Within the listener is code that requests a URL derived from the received message via fetch(). The URL is not validated or sanitised before it is fetched, thus allowing a malicious web page to arbitrarily fetch URL’s via the victim's browser.

Key dates

02Disclosure timeline

October 19, 2023 CVE published
September 12, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-1597 Bdtask SalesERP Administrative Endpoint improper authorization CVE-2024-2641 Ruijie RG-NBS2009G-P Password passwdManage.htm improper authorization CVE-2021-41093 Account takeover when having only access to a user's short lived token CVE-2022-29234 Grace period for lock settings in public/private chats in BigBlueButton CVE-2025-10902 Originality.ai AI Checker <= 1.0.15 - Missing Authorization to Authenticated (Subscriber+) Scan Log Deletion via ' ai_scan_result_remove'