9.8

CVE-2023-28154

webpack JS package <= 5.75.0 - Sandbox Bypass

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
Mögliche Gegenmaßnahme
ElasticPress: Update to version 4.5.1, or a newer patched version
Restricted Site Access: Update to version 7.4.0, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Webpack.JsWebpack SwPlatformnode.js Version >= 5.0.0 < 5.76.0
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt ElasticPress
Version *-4.5.0
SystemWordPress Plugin
Produkt Restricted Site Access
Version *-7.3.5
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.42% 0.694
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://github.com/webpack/webpack/compare/v5.75.0...v5.76.0
Patch
Product
https://github.com/webpack/webpack/pull/16500
Patch
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AU7BOXTBK3KDYSWH67ASZ22TUIOZ3X5G/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PPSAXUTXBCCTAHTCX5BUR4YVP25XALQ3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2AFCM6FFE3LRYI6KNEQWKMXMQOBZQ2D/
https://www.wordfence.com/threat-intel/vulnerabilities/id/1cda31a4-4c79-4567-a527-6510c31d2843
Third Party Advisory