CVE-2024-28120

Published: Mar 11, 2024Modified: Feb 26, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

codeium-chrome is an open source code completion plugin for the chrome web browser. The service worker of the codeium-chrome extension doesn't check the sender when receiving an external message. This allows an attacker to host a website that will steal the user's Codeium api-key, and thus impersonate the user on the backend autocomplete server. This issue has not been addressed. Users are advised to monitor the usage of their API key.

Affected (1)

Products: Codeium: Codeium

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Codeium Codeium	Version 1.2.52

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (4)

https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p

Source: security-advisories@github.com

ExploitVendor Advisory

https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome

Source: security-advisories@github.com

ExploitThird Party Advisory

https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitVendor Advisory

https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.