These messages are displayed as HTML instead of the expected warning banner. To exploit this vulnerability, a user with administrator privileges could embed malicious JavaScript code in the message.
Extension developers are encouraged to review the source of their extensions to confirm that user input is not being cut and pasted from the browser console.
CVE-2023-42986
These messages are displayed as HTML instead of the expected warning banner. To exploit this vulnerability, a user with administrator privileges could embed malicious JavaScript code in the message.
Extension developers are encouraged to review the source of their extensions to confirm that user input is not being cut and pasted from the browser console.
Critical: Arbitrary code execution vulnerability
An arbitrary JavaScript execution vulnerability has been discovered in the extension. The vulnerability is triggered when a user clicks on an embedded link that points to a website controlled by an attacker. To exploit this vulnerability, the user must have administrator privileges and the message being sent must have HTML content.
Timeline
Published on: 11/17/2022 05:15:00 UTC
Last modified on: 11/17/2022 22:26:00 UTC