Identity Browser Extensions
Monthly
Origin validation failure in CyberArk's Idira Identity Browser Extension for Chrome, Firefox, and Edge (versions prior to 26.8.1) allows a remote attacker to abuse an authenticated user's browser session by luring them to a malicious page. Per CyberArk bulletin CA26-21, the extension's internal web-page verification routine fails to correctly enforce origin checks (CWE-346), enabling unauthorized application interaction in the victim's identity context. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 8.4 reflects high confidentiality impact and subsequent-system impact via the identity SaaS the extension brokers.
Origin validation failure in CyberArk's Idira Identity Browser Extension for Chrome, Firefox, and Edge (versions prior to 26.8.1) allows a remote attacker to abuse an authenticated user's browser session by luring them to a malicious page. Per CyberArk bulletin CA26-21, the extension's internal web-page verification routine fails to correctly enforce origin checks (CWE-346), enabling unauthorized application interaction in the victim's identity context. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 8.4 reflects high confidentiality impact and subsequent-system impact via the identity SaaS the extension brokers.