GHSA-qm5v-pj64-852j – passbolt/passbolt_api

Package

Manager: composer
Name: passbolt/passbolt_api
Vulnerable Version: >=0 <2.11.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Passbolt Api Tabnabbing when opening URI with menu "Open URI in a new tab" ### Description A user could create and share a resource with a malicious URI. When the victim opens with menu “Open URI in a new tab” function, the malicious page has access to the window.opener object. ### Impact of issue The newly opened malicious page can for example change the window.opener.location to redirect the user to a phishing page, or call a JavaScript function served by the AppJS on the user behalf for example to try to affect the integrity of the data. ### Fix The code that opens a new window via window.open(); now open the tab with the noopener attribute.

Metadata

Created: 2024-05-20T17:09:57Z
Modified: 2024-05-20T17:09:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-qm5v-pj64-852j/GHSA-qm5v-pj64-852j.json
CWE IDs: ["CWE-657"]
Alternative ID: N/A
Finding: F138
Auto approve: 1