{"api_version":"1","generated_at":"2026-07-03T16:55:03+00:00","cve":"CVE-2022-24072","urls":{"html":"https://cve.report/CVE-2022-24072","api":"https://cve.report/api/cve/CVE-2022-24072.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-24072","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-24072"},"summary":{"title":"CVE-2022-24072","description":"The devtools API in Whale browser before 3.12.129.18 allowed extension developers to inject arbitrary JavaScript into the extension store web page via devtools.inspectedWindow, leading to extensions downloading and uploading when users open the developer tool.","state":"PUBLIC","assigner":"cve@navercorp.com","published_at":"2022-03-17 06:15:00","updated_at":"2022-03-23 18:22:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://cve.naver.com/detail/cve-2022-24072","name":"https://cve.naver.com/detail/cve-2022-24072","refsource":"CONFIRM","tags":[],"title":"NAVER Security Advisory","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-24072","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24072","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"Young Min Kim","lang":""}],"nvd_cpes":[{"cve_year":"2022","cve_id":"24072","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"navercorp","cpe5":"whale","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2022-24072","ASSIGNER":"cve@navercorp.com","STATE":"PUBLIC"},"credit":[{"lang":"eng","value":"Young Min Kim"}],"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"NAVER Whale browser","version":{"version_data":[{"version_affected":"<","version_value":"3.12.129.46"}]}}]},"vendor_name":"NAVER"}]}},"description":{"description_data":[{"lang":"eng","value":"The devtools API in Whale browser before 3.12.129.18 allowed extension developers to inject arbitrary JavaScript into the extension store web page via devtools.inspectedWindow, leading to extensions downloading and uploading when users open the developer tool."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-269: Improper Privilege Management"}]}]},"references":{"reference_data":[{"name":"https://cve.naver.com/detail/cve-2022-24072","refsource":"CONFIRM","url":"https://cve.naver.com/detail/cve-2022-24072"}]},"source":{"discovery":"EXTERNAL"}},"nvd":{"publishedDate":"2022-03-17 06:15:00","lastModifiedDate":"2022-03-23 18:22:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:navercorp:whale:*:*:*:*:*:*:*:*","versionEndExcluding":"3.12.129.18","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"24072","Ordinal":"227283","Title":"CVE-2022-24072","CVE":"CVE-2022-24072","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"24072","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}