{"uuid": "2e1a7c39-0aa8-4181-b040-5828ebc356ae", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-5654", "type": "seen", "source": "https://t.me/cibsecurity/72575", "content": "\u203c CVE-2023-5654 \u203c\n\nThe React Developer Tools extension registers a message listener with window.addEventListener('message', ) in a content script that is accessible to any webpage that is active in the browser. Within the listener is code that requests a URL derived from the received message via fetch(). The URL is not validated or sanitised before it is fetched, thus allowing a malicious web page to arbitrarily fetch URL\u00e2\u20ac\u2122s via the victim's browser.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-10-19T19:31:53.000000Z"}