CVE-2022-24762 - OpenCVE

sysend.js is a library that allows a user to send messages between pages that are open in the same browser. Users that use cross-origin communication may have their communications intercepted. Impact is limited by the communication occurring in the same browser. This issue has been patched in sysend.js version 1.10.0. The only currently known workaround is to avoid sending communications that a user does not want to have intercepted via sysend messages.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Sysend.js Project	Sysend.js

Configuration 1 [-]

cpe:2.3:a:sysend.js_project:sysend.js:*:*:*:*:*:node.js:*:*

References

Link	Resource
https://github.com/jcubic/sysend.js/commit/a24f4b776fb18191ae0f7e3d90c2c7bec459431a	Patch Third Party Advisory
https://github.com/jcubic/sysend.js/issues/33	Exploit Issue Tracking Third Party Advisory
https://github.com/jcubic/sysend.js/releases/tag/1.10.0	Release Notes Third Party Advisory
https://github.com/jcubic/sysend.js/security/advisories/GHSA-4vvg-x86p-mvqc	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-03-14T22:50:10

Updated: 2022-03-14T22:50:10

Reserved: 2022-02-10T00:00:00

Link: CVE-2022-24762

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-03-14T23:15:08.427

Modified: 2023-07-03T20:35:28.853

Link: CVE-2022-24762

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "sysend.js", "vendor": "jcubic", "versions": [{"status": "affected", "version": "< 1.10.0"}]}], "descriptions": [{"lang": "en", "value": "sysend.js is a library that allows a user to send messages between pages that are open in the same browser. Users that use cross-origin communication may have their communications intercepted. Impact is limited by the communication occurring in the same browser. This issue has been patched in sysend.js version 1.10.0. The only currently known workaround is to avoid sending communications that a user does not want to have intercepted via sysend messages."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-14T22:50:10", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jcubic/sysend.js/security/advisories/GHSA-4vvg-x86p-mvqc"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/jcubic/sysend.js/issues/33"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/jcubic/sysend.js/commit/a24f4b776fb18191ae0f7e3d90c2c7bec459431a"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/jcubic/sysend.js/releases/tag/1.10.0"}], "source": {"advisory": "GHSA-4vvg-x86p-mvqc", "discovery": "UNKNOWN"}, "title": "Exposure of Sensitive Information to an Unauthorized Actor in sysend.js", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-24762", "STATE": "PUBLIC", "TITLE": "Exposure of Sensitive Information to an Unauthorized Actor in sysend.js"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "sysend.js", "version": {"version_data": [{"version_value": "< 1.10.0"}]}}]}, "vendor_name": "jcubic"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "sysend.js is a library that allows a user to send messages between pages that are open in the same browser. Users that use cross-origin communication may have their communications intercepted. Impact is limited by the communication occurring in the same browser. This issue has been patched in sysend.js version 1.10.0. The only currently known workaround is to avoid sending communications that a user does not want to have intercepted via sysend messages."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}]}, "references": {"reference_data": [{"name": "https://github.com/jcubic/sysend.js/security/advisories/GHSA-4vvg-x86p-mvqc", "refsource": "CONFIRM", "url": "https://github.com/jcubic/sysend.js/security/advisories/GHSA-4vvg-x86p-mvqc"}, {"name": "https://github.com/jcubic/sysend.js/issues/33", "refsource": "MISC", "url": "https://github.com/jcubic/sysend.js/issues/33"}, {"name": "https://github.com/jcubic/sysend.js/commit/a24f4b776fb18191ae0f7e3d90c2c7bec459431a", "refsource": "MISC", "url": "https://github.com/jcubic/sysend.js/commit/a24f4b776fb18191ae0f7e3d90c2c7bec459431a"}, {"name": "https://github.com/jcubic/sysend.js/releases/tag/1.10.0", "refsource": "MISC", "url": "https://github.com/jcubic/sysend.js/releases/tag/1.10.0"}]}, "source": {"advisory": "GHSA-4vvg-x86p-mvqc", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-24762", "datePublished": "2022-03-14T22:50:10", "dateReserved": "2022-02-10T00:00:00", "dateUpdated": "2022-03-14T22:50:10", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sysend.js_project:sysend.js:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "A43EE609-11E5-4F09-852C-915CA49B4597", "versionEndExcluding": "1.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "sysend.js is a library that allows a user to send messages between pages that are open in the same browser. Users that use cross-origin communication may have their communications intercepted. Impact is limited by the communication occurring in the same browser. This issue has been patched in sysend.js version 1.10.0. The only currently known workaround is to avoid sending communications that a user does not want to have intercepted via sysend messages."}, {"lang": "es", "value": "sysend.js es una biblioteca que permite a un usuario enviar mensajes entre p\u00e1ginas que est\u00e1n abiertas en el mismo navegador. Los usuarios que usan la comunicaci\u00f3n entre or\u00edgenes pueden ver interceptadas sus comunicaciones. El impacto est\u00e1 limitado por la comunicaci\u00f3n que es producida en el mismo navegador. Este problema ha sido parcheado en la versi\u00f3n 1.10.0 de sysend.js. La \u00fanica medida de mitigaci\u00f3n conocida actualmente es evitar el env\u00edo de comunicaciones que el usuario no quiere que sean interceptadas por medio de mensajes sysend"}], "id": "CVE-2022-24762", "lastModified": "2023-07-03T20:35:28.853", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-03-14T23:15:08.427", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/jcubic/sysend.js/commit/a24f4b776fb18191ae0f7e3d90c2c7bec459431a"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/jcubic/sysend.js/issues/33"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/jcubic/sysend.js/releases/tag/1.10.0"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/jcubic/sysend.js/security/advisories/GHSA-4vvg-x86p-mvqc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-346"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}