| 标题 | Eyeo GmbH Adblock Plus 4.36.2 Privilege Escalation |
|---|
| 描述 | A missing origin validation in premium.preload.js allows any JavaScript
running in the context of accounts.adblockplus.org to forge a
payment_success postMessage event and activate the Premium subscription
without payment. The extension background (background.js) further fails
to bind the submitted userId to a verified payment session before
persisting it and initiating license_check. Tested on v4.36.2,
reproducible in ~30 seconds with a single line of JavaScript. |
|---|
| 来源 | ⚠️ https://github.com/xryj920/CVE/blob/main/adblock_plus_CVE_report.md |
|---|
| 用户 | DRXYJ (UID 46872) |
|---|
| 提交 | 2026-03-31 11時44分 (2 月前) |
|---|
| 管理 | 2026-05-02 18時03分 (1 month later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 360856 [eyeo Adblock Plus 直到 4.36.2 于 Chrome Legacy Premium Activation premium.preload.js postMessage 权限提升] |
|---|
| 积分 | 20 |
|---|