CVE-2025-25303

Sažetak

The MouseTooltipTranslator Chrome extension allows mouseover translation of any language at once. The MouseTooltipTranslator browser extension is vulnerable to SSRF attacks. The pdf.mjs script uses the URL parameter from the current URL as the file to download and display to the extension user. Because pdf.mjs is imported in viewer.html and viewer.html is accessible to all URLs, an attacker can force the user’s browser to make a request to any arbitrary URL. After discussion with maintainer, patching this issue would require disabling a major feature of the extension in exchange for a low severity vulnerability. Decision to not patch issue.

Reference

https://github.com/ttop32/MouseTooltipTranslator/blob/0.1.127/public/manifest.json#L23
https://github.com/ttop32/MouseTooltipTranslator/blob/0.1.127/public/pdfjs/build/pdf.mjs#L13932
https://securitylab.github.com/advisories/GHSL-2024-018_MouseTooltipTranslator/

CVSS

Base:	0.0
Impact:	None
Exploitability:	None

Pristup

Vektor	Složenost	Autentikacija
None	None	None

Impact

Povjerljivost	Cjelovitost	Dostupnost
None	None	None

CVSS vektor

None

Zadnje važnije ažuriranje

03-03-2025 - 17:15

Objavljeno

03-03-2025 - 17:15