Description

openframe-glsviewer is a Openframe extension which adds support for shaders via glslViewer. openframe-glsviewer downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Remediation

References

https://nodesecurity.io/advisories/208

Related Vulnerabilities

CVE-2022-24823 Vulnerability in maven package io.netty:netty-common

CVE-2022-41927 Vulnerability in maven package org.xwiki.platform:xwiki-platform-tag-ui

CVE-2017-2608 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2019-12041 Vulnerability in maven package org.webjars.bowergithub.jonschlinkert:remarkable

CVE-2017-16198 Vulnerability in npm package ritp

Severity

Critical

Classification

CWE-310 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory