Closed lamrecognitions closed 4 months ago
Hi @lamrecognitions, thanks for sending this. There is a similar PR https://github.com/hashgraph/hedera-sourcify/security/dependabot/62 that seems to address this. Moreover, the report described here does not appear to affect our codebase.
The project of
hashgraph/hedera-sourcify
has used webpack does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.CVE-2023-28154
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Description:
Related issue(s):
Fixes #
Notes for reviewer:
Checklist