CVE-2024-11023

Published Nov 18, 2024

Last updated 3 months ago

CVSS medium 5.2

Overview

Description
Firebase JavaScript SDK utilizes a "FIREBASE_DEFAULTS" cookie to store configuration data, including an "_authTokenSyncURL" field used for session synchronization. If this cookie field is preset via an attacker by any other method, the attacker can manipulate the "_authTokenSyncURL" to point to their own server and it would allow an actor to capture user session data transmitted by the SDK. We recommend upgrading Firebase JS SDK at least to 10.9.0.
Source
cve-coordination@google.com
NVD status
Awaiting Analysis

Risk scores

CVSS 4.0

Type
Secondary
Base score
5.2
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
MEDIUM

CVSS 3.1

Type
Secondary
Base score
5.3
Impact score
1.4
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Severity
MEDIUM

Weaknesses

cve-coordination@google.com
CWE-79

Social media

Hype score
Not currently trending

  1. 🚨 CVE-2024-11023 (Published: 2024-11-18) - High severity vulnerability in Google Firebase. Affects versions prior to the fix in PR #8056. Ensure your Firebase JS SDK is updated to mitigate risks. Check the details here: https://t.co/kLpDlq1nF2 #CyberSecurity #VulnerabilityAlert

    @transilienceai

    22 Nov 2024

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2024-11023 Firebase JavaScript SDK utilizes a "FIREBASE_DEFAULTS" cookie to store configuration data, including an "_authTokenSyncURL" field used for session synchronization. I… https://t.co/4FTjw8xLcE

    @CVEnew

    18 Nov 2024

    480 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

References