x/vulndb: potential Go vuln in github.com/firebase/firebase-tools: CVE-2024-4128

[GoVulnBot]

CVE-2024-4128 references github.com/firebase/firebase-tools, which may be a Go module.

Description:
This vulnerability was a potential CSRF attack. When running the Firebase emulator suite, there is an export endpoint that is used normally to export data from running emulators. If a user was running the emulator and navigated to a malicious website with the exploit on a browser that allowed calls to localhost (ie Chrome before v94), the website could exfiltrate emulator data. We recommend upgrading past version 13.6.0 or commit  068a2b08dc308c7ab4b569617f5fc8821237e3a0 firebase/firebase-tools@068a2b0

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-4128
• JSON: https://github.com/CVEProject/cvelist/tree/0769d3179e29b0f52d2697d9ca930e0ae13a15a2/2024/4xxx/CVE-2024-4128.json
• fix: Block web browser requests to export endpoint firebase/firebase-tools#6944
• fix: firebase/firebase-tools@068a2b0
• Imported by: https://pkg.go.dev/github.com/firebase/firebase-tools?tab=importedby

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/firebase/firebase-tools
      vulnerable_at: 13.8.0+incompatible
      packages:
        - package: firebase-tools
summary: CVE-2024-4128 in github.com/firebase/firebase-tools
cves:
    - CVE-2024-4128
references:
    - fix: https://github.com/firebase/firebase-tools/pull/6944
    - fix: https://github.com/firebase/firebase-tools/commit/068a2b08dc308c7ab4b569617f5fc8821237e3a0
source:
    id: CVE-2024-4128

[gopherbot]

Change https://go.dev/cl/590278 mentions this issue: data/reports: add 48 unreviewed reports