GHSA-3wf4-68gx-mph8

Suggest an improvement
Source
https://github.com/advisories/GHSA-3wf4-68gx-mph8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-3wf4-68gx-mph8/GHSA-3wf4-68gx-mph8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3wf4-68gx-mph8
Aliases
  • CVE-2024-11023
Published
2024-11-18T12:30:42Z
Modified
2024-11-18T20:12:14.525352Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
  • 5.2 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
Summary
Firebase JavaScript SDK allows attackers to manipulate the "_authTokenSyncURL" to point to their own server
Details

Firebase JavaScript SDK utilizes a "FIREBASEDEFAULTS" cookie to store configuration data, including an "authTokenSyncURL" field used for session synchronization. If this cookie field is preset via an attacker by any other method, the attacker can manipulate the "_authTokenSyncURL" to point to their own server and it would allow am actor to capture user session data transmitted by the SDK. We recommend upgrading Firebase JS SDK at least to 10.9.0.

Database specific
{
    "nvd_published_at": "2024-11-18T11:15:05Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-18T20:04:30Z"
}
References

Affected packages

npm / firebase

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.9.0