CVE-2022-24762 : sysend.js is a library that allows a user to send messages between pages that ar

sysend.js is a library that allows a user to send messages between pages that are open in the same browser. Users that use cross-origin communication may have their communications intercepted. Impact is limited by the communication occurring in the same browser. This issue has been patched in sysend.js version 1.10.0. The only currently known workaround is to avoid sending communications that a user does not want to have intercepted via sysend messages.

Published 2022-03-14 23:15:08

Updated 2023-07-03 20:35:29

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Information leak

Products affected by CVE-2022-24762

Sysend.js Project » Sysend.js » For Node.js
Versions before (<) 1.10.0
cpe:2.3:a:sysend.js_project:sysend.js:*:*:*:*:*:node.js:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-24762

EPSS FAQ

0.19%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 38 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-24762

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: None Availability: None
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N	2.8	3.6	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2022-24762

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: security-advisories@github.com (Secondary)
CWE-346 Origin Validation Error

The product does not properly verify that the source of data or communication is valid.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-24762

https://github.com/jcubic/sysend.js/commit/a24f4b776fb18191ae0f7e3d90c2c7bec459431a

fix security issue with Cross-Domain communication #33 · jcubic/sysend.js@a24f4b7 · GitHub
Patch;Third Party Advisory
https://github.com/jcubic/sysend.js/security/advisories/GHSA-4vvg-x86p-mvqc

Leaking of user information on Cross-Domain communication · Advisory · jcubic/sysend.js · GitHub
Third Party Advisory
https://github.com/jcubic/sysend.js/releases/tag/1.10.0

Release 1.10.0 · jcubic/sysend.js · GitHub
Release Notes;Third Party Advisory
https://github.com/jcubic/sysend.js/issues/33

Leaking of potentially sensitive user information on Cross-Domain communication · Issue #33 · jcubic/sysend.js · GitHub
Exploit;Issue Tracking;Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-24762

Products affected by CVE-2022-24762

Exploit prediction scoring system (EPSS) score for CVE-2022-24762

CVSS scores for CVE-2022-24762

CWE ids for CVE-2022-24762

References for CVE-2022-24762