Vulnerability Details : CVE-2018-14730
An issue was discovered in Browserify-HMR. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:3123/ connection from any origin.
Vulnerability category: Information leak
Products affected by CVE-2018-14730
- Browserify-hot Module Replacement Project » Browserify-hot Module Replacement » Version: N/A For Browserifycpe:2.3:a:browserify-hot_module_replacement_project:browserify-hot_module_replacement:-:*:*:*:*:browserify:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-14730
0.48%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 76 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-14730
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2018-14730
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-14730
-
https://blog.cal1.cn/post/Sniffing%20Codes%20in%20Hot%20Module%20Reloading%20Messages
Sniffing Codes in Hot Module Reloading Messages - crblogExploit;Third Party Advisory
-
https://github.com/AgentME/browserify-hmr/issues/41
A vulnerability found in browserify-hmr · Issue #41 · Macil/browserify-hmr · GitHubThird Party Advisory
Jump to