CVE-2024-34714
Hoppscotch Extension responds to calls made by origins not in the domain list
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The Hoppscotch Browser Extension is a browser extension for Hoppscotch, a community-driven end-to-end open-source API development ecosystem. Due to an oversight during a change made to the extension in the commit d4e8e4830326f46ba17acd1307977ecd32a85b58, a critical check for the origin list was missed and allowed for messages to be sent to the extension which the extension gladly processed and responded back with the results of, while this wasn't supposed to happen and be blocked by the origin not being present in the origin list.
This vulnerability exposes Hoppscotch Extension users to sites which call into Hoppscotch Extension APIs internally. This fundamentally allows any site running on the browser with the extension installed to bypass CORS restrictions if the user is running extensions with the given version. This security hole was patched in the commit 7e364b928ab722dc682d0fcad713a96cc38477d6 which was released along with the extension version `0.35`. As a workaround, Chrome users can use the Extensions Settings to disable the extension access to only the origins that you want. Firefox doesn't have an alternative to upgrading to a fixed version.
Hoppscotch Browser Extension es una extensión de navegador para Hoppscotch, un ecosistema de desarrollo de API de código abierto de extremo a extremo impulsado por la comunidad. Debido a un descuido durante un cambio realizado en la extensión en el commit d4e8e4830326f46ba17acd1307977ecd32a85b58, se omitió una verificación crítica de la lista de orígenes y permitió que se enviaran mensajes a la extensión, los cuales la extensión procesó con gusto y respondió con los resultados, mientras que esto no se suponía que sucediera y fuera bloqueado porque el origen no estaba presente en la lista de orígenes. Esta vulnerabilidad expone a los usuarios de Hoppscotch Extension a sitios que llaman internamente a las API de Hoppscotch Extension. Básicamente, esto permite que cualquier sitio que se ejecute en el navegador con la extensión instalada evite las restricciones de CORS si el usuario está ejecutando extensiones con la versión dada. Este agujero de seguridad se solucionó en el commit 7e364b928ab722dc682d0fcad713a96cc38477d6 que se lanzó junto con la versión de extensión `0.35`. Como workaround, los usuarios de Chrome pueden usar la Configuración de extensiones para deshabilitar el acceso de la extensión solo a los orígenes que deseen. Firefox no tiene otra alternativa que actualizar a una versión fija.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-05-07 CVE Reserved
- 2024-05-14 CVE Published
- 2024-05-15 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-354: Improper Validation of Integrity Check Value
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://github.com/hoppscotch/hoppscotch-extension/commit/7e364b928ab722dc682d0fcad713a96cc38477d6 | X_refsource_misc | |
| https://github.com/hoppscotch/hoppscotch-extension/commit/d4e8e4830326f46ba17acd1307977ecd32a85b58 | X_refsource_misc | |
| https://github.com/hoppscotch/hoppscotch-extension/security/advisories/GHSA-jjh5-pvqx-gg5v | X_refsource_confirm | |
| https://server.yadhu.in/poc/hoppscotch-poc.html | X_refsource_misc |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Hoppscotch Search vendor "Hoppscotch" | Hoppscotch-extension Search vendor "Hoppscotch" for product "Hoppscotch-extension" | >= 0.28 < 0.35 Search vendor "Hoppscotch" for product "Hoppscotch-extension" and version " >= 0.28 < 0.35" | en |
Affected
| ||||||