Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities found for Secure Exam Proctor Extension by Proctorio
CVE-2026-2345 (GCVE-0-2026-2345)
Vulnerability from cvelistv5 – Published: 2026-02-11 14:49 – Updated: 2026-02-11 21:19
VLAI
Title
Insufficient Origin Validation in Proctorio Chrome Extension postMessage Handlers
Summary
Proctorio Chrome Extension is a browser extension used for online proctoring. The extension contains multiple window.addEventListener('message', ...) handlers that do not properly validate the origin of incoming messages. Specifically, an internal messaging bridge processes messages based solely on the presence of a fromWebsite property without verifying the event.origin attribute.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-346 - Origin Validation Error
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Proctorio | Secure Exam Proctor Extension |
Affected:
1.5.25220.33
Unaffected: 1.5.25220.36 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2345",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-11T21:19:02.758590Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-11T21:19:08.551Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Secure Exam Proctor Extension",
"vendor": "Proctorio",
"versions": [
{
"status": "affected",
"version": "1.5.25220.33"
},
{
"status": "unaffected",
"version": "1.5.25220.36"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Caen Jones (@vcc3v)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eProctorio Chrome Extension is a browser extension used for online proctoring. The extension contains multiple window.addEventListener(\u0027message\u0027, ...) handlers that do not properly validate the origin of incoming messages. Specifically, an internal messaging bridge processes messages based solely on the presence of a fromWebsite property without verifying the event.origin attribute.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Proctorio Chrome Extension is a browser extension used for online proctoring. The extension contains multiple window.addEventListener(\u0027message\u0027, ...) handlers that do not properly validate the origin of incoming messages. Specifically, an internal messaging bridge processes messages based solely on the presence of a fromWebsite property without verifying the event.origin attribute."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346 Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-11T14:49:44.991Z",
"orgId": "7004884b-51e2-48e8-b4a2-5ca29e80453e",
"shortName": "Hackrate"
},
"references": [
{
"url": "https://www.hckrt.com/hacktivity/46b61f36-b685-4667-aebf-82a67ad69ad6"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Insufficient Origin Validation in Proctorio Chrome Extension postMessage Handlers",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7004884b-51e2-48e8-b4a2-5ca29e80453e",
"assignerShortName": "Hackrate",
"cveId": "CVE-2026-2345",
"datePublished": "2026-02-11T14:49:44.991Z",
"dateReserved": "2026-02-11T14:45:32.162Z",
"dateUpdated": "2026-02-11T21:19:08.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2345 (GCVE-0-2026-2345)
Vulnerability from nvd – Published: 2026-02-11 14:49 – Updated: 2026-02-11 21:19
VLAI
Title
Insufficient Origin Validation in Proctorio Chrome Extension postMessage Handlers
Summary
Proctorio Chrome Extension is a browser extension used for online proctoring. The extension contains multiple window.addEventListener('message', ...) handlers that do not properly validate the origin of incoming messages. Specifically, an internal messaging bridge processes messages based solely on the presence of a fromWebsite property without verifying the event.origin attribute.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-346 - Origin Validation Error
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Proctorio | Secure Exam Proctor Extension |
Affected:
1.5.25220.33
Unaffected: 1.5.25220.36 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2345",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-11T21:19:02.758590Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-11T21:19:08.551Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Secure Exam Proctor Extension",
"vendor": "Proctorio",
"versions": [
{
"status": "affected",
"version": "1.5.25220.33"
},
{
"status": "unaffected",
"version": "1.5.25220.36"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Caen Jones (@vcc3v)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eProctorio Chrome Extension is a browser extension used for online proctoring. The extension contains multiple window.addEventListener(\u0027message\u0027, ...) handlers that do not properly validate the origin of incoming messages. Specifically, an internal messaging bridge processes messages based solely on the presence of a fromWebsite property without verifying the event.origin attribute.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Proctorio Chrome Extension is a browser extension used for online proctoring. The extension contains multiple window.addEventListener(\u0027message\u0027, ...) handlers that do not properly validate the origin of incoming messages. Specifically, an internal messaging bridge processes messages based solely on the presence of a fromWebsite property without verifying the event.origin attribute."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346 Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-11T14:49:44.991Z",
"orgId": "7004884b-51e2-48e8-b4a2-5ca29e80453e",
"shortName": "Hackrate"
},
"references": [
{
"url": "https://www.hckrt.com/hacktivity/46b61f36-b685-4667-aebf-82a67ad69ad6"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Insufficient Origin Validation in Proctorio Chrome Extension postMessage Handlers",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7004884b-51e2-48e8-b4a2-5ca29e80453e",
"assignerShortName": "Hackrate",
"cveId": "CVE-2026-2345",
"datePublished": "2026-02-11T14:49:44.991Z",
"dateReserved": "2026-02-11T14:45:32.162Z",
"dateUpdated": "2026-02-11T21:19:08.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}