CVE-2026-2345 - Vulnerability Details - OpenCVE

Proctorio Chrome Extension is a browser extension used for online proctoring. The extension contains multiple window.addEventListener('message', ...) handlers that do not properly validate the origin of incoming messages. Specifically, an internal messaging bridge processes messages based solely on the presence of a fromWebsite property without verifying the event.origin attribute.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://www.hckrt.com/hacktivity/46b61f36-b685-4667-aebf-82a67ad69ad6

History

Wed, 11 Feb 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description		Proctorio Chrome Extension is a browser extension used for online proctoring. The extension contains multiple window.addEventListener('message', ...) handlers that do not properly validate the origin of incoming messages. Specifically, an internal messaging bridge processes messages based solely on the presence of a fromWebsite property without verifying the event.origin attribute.
Title		Insufficient Origin Validation in Proctorio Chrome Extension postMessage Handlers
Weaknesses		CWE-346
References		https://www.hckrt.com/hacktivity/46b61f36-b685-4667-aebf-82a67ad69ad6
Metrics		cvssV3_1 `{'score': 3.6, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: Hackrate

Published: 2026-02-11T14:49:44.991Z

Updated: 2026-02-11T21:19:08.551Z

Reserved: 2026-02-11T14:45:32.162Z

Link: CVE-2026-2345

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-02-11T15:16:18.160

Modified: 2026-02-11T15:27:26.370

Link: CVE-2026-2345

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2345", "assignerOrgId": "7004884b-51e2-48e8-b4a2-5ca29e80453e", "state": "PUBLISHED", "assignerShortName": "Hackrate", "dateReserved": "2026-02-11T14:45:32.162Z", "datePublished": "2026-02-11T14:49:44.991Z", "dateUpdated": "2026-02-11T21:19:08.551Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Secure Exam Proctor Extension", "vendor": "Proctorio", "versions": [{"status": "affected", "version": "1.5.25220.33"}, {"status": "unaffected", "version": "1.5.25220.36"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Caen Jones (@vcc3v)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Proctorio Chrome Extension is a browser extension used for online proctoring. The extension contains multiple window.addEventListener('message', ...) handlers that do not properly validate the origin of incoming messages. Specifically, an internal messaging bridge processes messages based solely on the presence of a fromWebsite property without verifying the event.origin attribute.<br></p>"}], "value": "Proctorio Chrome Extension is a browser extension used for online proctoring. The extension contains multiple window.addEventListener('message', ...) handlers that do not properly validate the origin of incoming messages. Specifically, an internal messaging bridge processes messages based solely on the presence of a fromWebsite property without verifying the event.origin attribute."}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.6, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-346", "description": "CWE-346 Origin Validation Error", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7004884b-51e2-48e8-b4a2-5ca29e80453e", "shortName": "Hackrate", "dateUpdated": "2026-02-11T14:49:44.991Z"}, "references": [{"url": "https://www.hckrt.com/hacktivity/46b61f36-b685-4667-aebf-82a67ad69ad6"}], "source": {"discovery": "UNKNOWN"}, "title": "Insufficient Origin Validation in Proctorio Chrome Extension postMessage Handlers", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-11T21:19:02.758590Z", "id": "CVE-2026-2345", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T21:19:08.551Z"}}]}}