CVE-2024-34714 (GCVE-0-2024-34714)

Vulnerability from cvelistv5 – Published: 2024-05-14 14:48 – Updated: 2024-08-02 02:59
VLAI?
Title
Hoppscotch Extension responds to calls made by origins not in the domain list
Summary
The Hoppscotch Browser Extension is a browser extension for Hoppscotch, a community-driven end-to-end open-source API development ecosystem. Due to an oversight during a change made to the extension in the commit d4e8e4830326f46ba17acd1307977ecd32a85b58, a critical check for the origin list was missed and allowed for messages to be sent to the extension which the extension gladly processed and responded back with the results of, while this wasn't supposed to happen and be blocked by the origin not being present in the origin list. This vulnerability exposes Hoppscotch Extension users to sites which call into Hoppscotch Extension APIs internally. This fundamentally allows any site running on the browser with the extension installed to bypass CORS restrictions if the user is running extensions with the given version. This security hole was patched in the commit 7e364b928ab722dc682d0fcad713a96cc38477d6 which was released along with the extension version `0.35`. As a workaround, Chrome users can use the Extensions Settings to disable the extension access to only the origins that you want. Firefox doesn't have an alternative to upgrading to a fixed version.
Severity ?
7.6 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
CWE
  • CWE-354 - Improper Validation of Integrity Check Value
Assigner
References
Impacted products
Vendor Product Version
hoppscotch hoppscotch-extension Affected: >= 0.28, < 0.35
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:hoppscotch:hoppscotch_extension:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "hoppscotch_extension",
            "vendor": "hoppscotch",
            "versions": [
              {
                "lessThan": "0.28",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-34714",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-14T16:03:31.682244Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-06T19:11:08.066Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T02:59:22.606Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/hoppscotch/hoppscotch-extension/security/advisories/GHSA-jjh5-pvqx-gg5v",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/hoppscotch/hoppscotch-extension/security/advisories/GHSA-jjh5-pvqx-gg5v"
          },
          {
            "name": "https://github.com/hoppscotch/hoppscotch-extension/commit/7e364b928ab722dc682d0fcad713a96cc38477d6",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/hoppscotch/hoppscotch-extension/commit/7e364b928ab722dc682d0fcad713a96cc38477d6"
          },
          {
            "name": "https://github.com/hoppscotch/hoppscotch-extension/commit/d4e8e4830326f46ba17acd1307977ecd32a85b58",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/hoppscotch/hoppscotch-extension/commit/d4e8e4830326f46ba17acd1307977ecd32a85b58"
          },
          {
            "name": "https://server.yadhu.in/poc/hoppscotch-poc.html",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://server.yadhu.in/poc/hoppscotch-poc.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "hoppscotch-extension",
          "vendor": "hoppscotch",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.28, \u003c 0.35"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Hoppscotch Browser Extension is a browser extension for Hoppscotch, a community-driven end-to-end open-source API development ecosystem. Due to an oversight during a change made to the extension in the commit d4e8e4830326f46ba17acd1307977ecd32a85b58, a critical check for the origin list was missed and allowed for messages to be sent to the extension which the extension gladly processed and responded back with the results of, while this wasn\u0027t supposed to happen and be blocked by the origin not being present in the origin list.\n\nThis vulnerability exposes Hoppscotch Extension users to sites which call into Hoppscotch Extension APIs internally. This fundamentally allows any site running on the browser with the extension installed to bypass CORS restrictions if the user is running extensions with the given version. This security hole was patched in the commit 7e364b928ab722dc682d0fcad713a96cc38477d6 which was released along with the extension version `0.35`. As a workaround, Chrome users can use the Extensions Settings to disable the extension access to only the origins that you want. Firefox doesn\u0027t have an alternative to upgrading to a fixed version."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-354",
              "description": "CWE-354: Improper Validation of Integrity Check Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-14T14:48:36.879Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/hoppscotch/hoppscotch-extension/security/advisories/GHSA-jjh5-pvqx-gg5v",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/hoppscotch/hoppscotch-extension/security/advisories/GHSA-jjh5-pvqx-gg5v"
        },
        {
          "name": "https://github.com/hoppscotch/hoppscotch-extension/commit/7e364b928ab722dc682d0fcad713a96cc38477d6",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/hoppscotch/hoppscotch-extension/commit/7e364b928ab722dc682d0fcad713a96cc38477d6"
        },
        {
          "name": "https://github.com/hoppscotch/hoppscotch-extension/commit/d4e8e4830326f46ba17acd1307977ecd32a85b58",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/hoppscotch/hoppscotch-extension/commit/d4e8e4830326f46ba17acd1307977ecd32a85b58"
        },
        {
          "name": "https://server.yadhu.in/poc/hoppscotch-poc.html",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://server.yadhu.in/poc/hoppscotch-poc.html"
        }
      ],
      "source": {
        "advisory": "GHSA-jjh5-pvqx-gg5v",
        "discovery": "UNKNOWN"
      },
      "title": "Hoppscotch Extension responds to calls made by origins not in the domain list"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-34714",
    "datePublished": "2024-05-14T14:48:36.879Z",
    "dateReserved": "2024-05-07T13:53:00.133Z",
    "dateUpdated": "2024-08-02T02:59:22.606Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The Hoppscotch Browser Extension is a browser extension for Hoppscotch, a community-driven end-to-end open-source API development ecosystem. Due to an oversight during a change made to the extension in the commit d4e8e4830326f46ba17acd1307977ecd32a85b58, a critical check for the origin list was missed and allowed for messages to be sent to the extension which the extension gladly processed and responded back with the results of, while this wasn\u0027t supposed to happen and be blocked by the origin not being present in the origin list.\\n\\nThis vulnerability exposes Hoppscotch Extension users to sites which call into Hoppscotch Extension APIs internally. This fundamentally allows any site running on the browser with the extension installed to bypass CORS restrictions if the user is running extensions with the given version. This security hole was patched in the commit 7e364b928ab722dc682d0fcad713a96cc38477d6 which was released along with the extension version `0.35`. As a workaround, Chrome users can use the Extensions Settings to disable the extension access to only the origins that you want. Firefox doesn\u0027t have an alternative to upgrading to a fixed version.\"}, {\"lang\": \"es\", \"value\": \"Hoppscotch Browser Extension es una extensi\\u00f3n de navegador para Hoppscotch, un ecosistema de desarrollo de API de c\\u00f3digo abierto de extremo a extremo impulsado por la comunidad. Debido a un descuido durante un cambio realizado en la extensi\\u00f3n en el commit d4e8e4830326f46ba17acd1307977ecd32a85b58, se omiti\\u00f3 una verificaci\\u00f3n cr\\u00edtica de la lista de or\\u00edgenes y permiti\\u00f3 que se enviaran mensajes a la extensi\\u00f3n, los cuales la extensi\\u00f3n proces\\u00f3 con gusto y respondi\\u00f3 con los resultados, mientras que esto no se supon\\u00eda que sucediera y fuera bloqueado porque el origen no estaba presente en la lista de or\\u00edgenes. Esta vulnerabilidad expone a los usuarios de Hoppscotch Extension a sitios que llaman internamente a las API de Hoppscotch Extension. B\\u00e1sicamente, esto permite que cualquier sitio que se ejecute en el navegador con la extensi\\u00f3n instalada evite las restricciones de CORS si el usuario est\\u00e1 ejecutando extensiones con la versi\\u00f3n dada. Este agujero de seguridad se solucion\\u00f3 en el commit 7e364b928ab722dc682d0fcad713a96cc38477d6 que se lanz\\u00f3 junto con la versi\\u00f3n de extensi\\u00f3n `0.35`. Como workaround, los usuarios de Chrome pueden usar la Configuraci\\u00f3n de extensiones para deshabilitar el acceso de la extensi\\u00f3n solo a los or\\u00edgenes que deseen. Firefox no tiene otra alternativa que actualizar a una versi\\u00f3n fija.\"}]",
      "id": "CVE-2024-34714",
      "lastModified": "2024-11-21T09:19:15.093",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H\", \"baseScore\": 7.6, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 4.7}]}",
      "published": "2024-05-14T16:17:27.623",
      "references": "[{\"url\": \"https://github.com/hoppscotch/hoppscotch-extension/commit/7e364b928ab722dc682d0fcad713a96cc38477d6\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/hoppscotch/hoppscotch-extension/commit/d4e8e4830326f46ba17acd1307977ecd32a85b58\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/hoppscotch/hoppscotch-extension/security/advisories/GHSA-jjh5-pvqx-gg5v\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://server.yadhu.in/poc/hoppscotch-poc.html\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/hoppscotch/hoppscotch-extension/commit/7e364b928ab722dc682d0fcad713a96cc38477d6\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/hoppscotch/hoppscotch-extension/commit/d4e8e4830326f46ba17acd1307977ecd32a85b58\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/hoppscotch/hoppscotch-extension/security/advisories/GHSA-jjh5-pvqx-gg5v\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://server.yadhu.in/poc/hoppscotch-poc.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-354\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-34714\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-05-14T16:17:27.623\",\"lastModified\":\"2024-11-21T09:19:15.093\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Hoppscotch Browser Extension is a browser extension for Hoppscotch, a community-driven end-to-end open-source API development ecosystem. Due to an oversight during a change made to the extension in the commit d4e8e4830326f46ba17acd1307977ecd32a85b58, a critical check for the origin list was missed and allowed for messages to be sent to the extension which the extension gladly processed and responded back with the results of, while this wasn\u0027t supposed to happen and be blocked by the origin not being present in the origin list.\\n\\nThis vulnerability exposes Hoppscotch Extension users to sites which call into Hoppscotch Extension APIs internally. This fundamentally allows any site running on the browser with the extension installed to bypass CORS restrictions if the user is running extensions with the given version. This security hole was patched in the commit 7e364b928ab722dc682d0fcad713a96cc38477d6 which was released along with the extension version `0.35`. As a workaround, Chrome users can use the Extensions Settings to disable the extension access to only the origins that you want. Firefox doesn\u0027t have an alternative to upgrading to a fixed version.\"},{\"lang\":\"es\",\"value\":\"Hoppscotch Browser Extension es una extensi\u00f3n de navegador para Hoppscotch, un ecosistema de desarrollo de API de c\u00f3digo abierto de extremo a extremo impulsado por la comunidad. Debido a un descuido durante un cambio realizado en la extensi\u00f3n en el commit d4e8e4830326f46ba17acd1307977ecd32a85b58, se omiti\u00f3 una verificaci\u00f3n cr\u00edtica de la lista de or\u00edgenes y permiti\u00f3 que se enviaran mensajes a la extensi\u00f3n, los cuales la extensi\u00f3n proces\u00f3 con gusto y respondi\u00f3 con los resultados, mientras que esto no se supon\u00eda que sucediera y fuera bloqueado porque el origen no estaba presente en la lista de or\u00edgenes. Esta vulnerabilidad expone a los usuarios de Hoppscotch Extension a sitios que llaman internamente a las API de Hoppscotch Extension. B\u00e1sicamente, esto permite que cualquier sitio que se ejecute en el navegador con la extensi\u00f3n instalada evite las restricciones de CORS si el usuario est\u00e1 ejecutando extensiones con la versi\u00f3n dada. Este agujero de seguridad se solucion\u00f3 en el commit 7e364b928ab722dc682d0fcad713a96cc38477d6 que se lanz\u00f3 junto con la versi\u00f3n de extensi\u00f3n `0.35`. Como workaround, los usuarios de Chrome pueden usar la Configuraci\u00f3n de extensiones para deshabilitar el acceso de la extensi\u00f3n solo a los or\u00edgenes que deseen. Firefox no tiene otra alternativa que actualizar a una versi\u00f3n fija.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H\",\"baseScore\":7.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":4.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-354\"}]}],\"references\":[{\"url\":\"https://github.com/hoppscotch/hoppscotch-extension/commit/7e364b928ab722dc682d0fcad713a96cc38477d6\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/hoppscotch/hoppscotch-extension/commit/d4e8e4830326f46ba17acd1307977ecd32a85b58\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/hoppscotch/hoppscotch-extension/security/advisories/GHSA-jjh5-pvqx-gg5v\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://server.yadhu.in/poc/hoppscotch-poc.html\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/hoppscotch/hoppscotch-extension/commit/7e364b928ab722dc682d0fcad713a96cc38477d6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/hoppscotch/hoppscotch-extension/commit/d4e8e4830326f46ba17acd1307977ecd32a85b58\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/hoppscotch/hoppscotch-extension/security/advisories/GHSA-jjh5-pvqx-gg5v\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://server.yadhu.in/poc/hoppscotch-poc.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/hoppscotch/hoppscotch-extension/security/advisories/GHSA-jjh5-pvqx-gg5v\", \"name\": \"https://github.com/hoppscotch/hoppscotch-extension/security/advisories/GHSA-jjh5-pvqx-gg5v\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/hoppscotch/hoppscotch-extension/commit/7e364b928ab722dc682d0fcad713a96cc38477d6\", \"name\": \"https://github.com/hoppscotch/hoppscotch-extension/commit/7e364b928ab722dc682d0fcad713a96cc38477d6\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/hoppscotch/hoppscotch-extension/commit/d4e8e4830326f46ba17acd1307977ecd32a85b58\", \"name\": \"https://github.com/hoppscotch/hoppscotch-extension/commit/d4e8e4830326f46ba17acd1307977ecd32a85b58\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://server.yadhu.in/poc/hoppscotch-poc.html\", \"name\": \"https://server.yadhu.in/poc/hoppscotch-poc.html\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T02:59:22.606Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-34714\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-05-14T16:03:31.682244Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:hoppscotch:hoppscotch_extension:*:*:*:*:*:*:*:*\"], \"vendor\": \"hoppscotch\", \"product\": \"hoppscotch_extension\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"0.28\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-14T16:13:58.645Z\"}}], \"cna\": {\"title\": \"Hoppscotch Extension responds to calls made by origins not in the domain list\", \"source\": {\"advisory\": \"GHSA-jjh5-pvqx-gg5v\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"hoppscotch\", \"product\": \"hoppscotch-extension\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 0.28, \u003c 0.35\"}]}], \"references\": [{\"url\": \"https://github.com/hoppscotch/hoppscotch-extension/security/advisories/GHSA-jjh5-pvqx-gg5v\", \"name\": \"https://github.com/hoppscotch/hoppscotch-extension/security/advisories/GHSA-jjh5-pvqx-gg5v\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/hoppscotch/hoppscotch-extension/commit/7e364b928ab722dc682d0fcad713a96cc38477d6\", \"name\": \"https://github.com/hoppscotch/hoppscotch-extension/commit/7e364b928ab722dc682d0fcad713a96cc38477d6\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/hoppscotch/hoppscotch-extension/commit/d4e8e4830326f46ba17acd1307977ecd32a85b58\", \"name\": \"https://github.com/hoppscotch/hoppscotch-extension/commit/d4e8e4830326f46ba17acd1307977ecd32a85b58\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://server.yadhu.in/poc/hoppscotch-poc.html\", \"name\": \"https://server.yadhu.in/poc/hoppscotch-poc.html\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Hoppscotch Browser Extension is a browser extension for Hoppscotch, a community-driven end-to-end open-source API development ecosystem. Due to an oversight during a change made to the extension in the commit d4e8e4830326f46ba17acd1307977ecd32a85b58, a critical check for the origin list was missed and allowed for messages to be sent to the extension which the extension gladly processed and responded back with the results of, while this wasn\u0027t supposed to happen and be blocked by the origin not being present in the origin list.\\n\\nThis vulnerability exposes Hoppscotch Extension users to sites which call into Hoppscotch Extension APIs internally. This fundamentally allows any site running on the browser with the extension installed to bypass CORS restrictions if the user is running extensions with the given version. This security hole was patched in the commit 7e364b928ab722dc682d0fcad713a96cc38477d6 which was released along with the extension version `0.35`. As a workaround, Chrome users can use the Extensions Settings to disable the extension access to only the origins that you want. Firefox doesn\u0027t have an alternative to upgrading to a fixed version.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-354\", \"description\": \"CWE-354: Improper Validation of Integrity Check Value\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-05-14T14:48:36.879Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-34714\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T02:59:22.606Z\", \"dateReserved\": \"2024-05-07T13:53:00.133Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-05-14T14:48:36.879Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.