We found results for “”
WS-2022-0096
Good to know:
Date: March 3, 2022
In @advanced-rest-client/base before 0.1.10, when the end-user click on the response header that contains a link the target will be opened in ARC new window. This window will have the default preload script loaded which allows the scripts embedded in the link target to execute any logic that ARC has access to from the renderer process, which includes file system access, data store access (which may contain sensitive information), and some additional processes that only ARC should have access to.
Language: JS
Severity Score
Severity Score
Weakness Type (CWE)
Execution with Unnecessary Privileges
CWE-250Top Fix
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | NONE |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | HIGH |
Integrity (I): | HIGH |
Availability (A): | HIGH |