CVE-2023-5718 MEDIUM

CVE-2023-5718

Vendor Vue.js
Product Vue.js devtools
Weakness CWE-200 · Info exposure
Published October 23, 2023
Last update September 11, 2024

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The Vue.js Devtools extension was found to leak screenshot data back to a malicious web page via the standard `postMessage()` API. By creating a malicious web page with an iFrame targeting a sensitive resource (i.e. a locally accessible file or sensitive website), and registering a listener on the web page, the extension sent messages back to the listener, containing the base64 encoded screenshot data of the sensitive resource.

Key dates

02Disclosure timeline

October 23, 2023 CVE published
September 11, 2024 Record updated