Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Storybook Dev Server Vulnerable to WebSocket Hijacking
Vulnerability Description
Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted. Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction. If the Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly. The vulnerability affects the WebSocket message handlers for creating and saving stories. Both are vulnerable to injection via unsanitized input in the componentFilePath field, which can be exploited to achieve persistent XSS or Remote Code Execution (RCE). Versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10 contain a fix for the issue.
CVSS Information
N/A
Vulnerability Type
输出中的特殊元素转义处理不恰当(注入)
Vulnerability Title
Storybook 跨站脚本漏洞
Vulnerability Description
Storybook是Storybook开源的一个UI组件开发环境。 Storybook 7.6.23之前版本、8.6.17之前版本、9.1.19之前版本和10.2.10之前版本存在跨站脚本漏洞,该漏洞源于开发服务器WebSocket功能未验证连接来源且输入未清理,可能导致WebSocket劫持、持久型跨站脚本攻击或远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A