CVE-2024-29384 identifies a vulnerability in CSS Exfil Protection version 1.1.0, specifically within the content.js script and the parseCSSRules function. This vulnerability allows a remote attacker to exfiltrate sensitive information by exploiting weaknesses in how CSS rules are parsed and handled. The vulnerability falls under CWE-200, indicating an information exposure flaw. The CVSS 3.1 base score is 7.5, reflecting a high severity due to the ability to disclose confidential data remotely without requiring authentication or user interaction. The attack vector is network-based, with low complexity and no privileges needed, making it relatively easy to exploit. The vulnerability does not impact integrity or availability but poses a significant confidentiality risk. No patches or fixes have been released at the time of publication, and no known exploits have been observed in the wild. The vulnerability affects the CSS Exfil Protection tool, which is designed to prevent CSS-based data exfiltration attacks but ironically contains a flaw that can be leveraged to leak sensitive information. The issue likely arises from improper handling or parsing of CSS rules, allowing attackers to bypass protections and extract data from the environment where the extension is deployed.

The primary impact of CVE-2024-29384 is unauthorized disclosure of sensitive information, which can lead to data breaches, privacy violations, and potential exposure of confidential organizational data. Since the vulnerability does not affect integrity or availability, it does not allow attackers to modify or disrupt systems directly, but the confidentiality breach alone can have severe consequences, including reputational damage, regulatory penalties, and loss of customer trust. Organizations relying on CSS Exfil Protection to secure their web environments may have a false sense of security, increasing risk exposure. The ease of exploitation and lack of required privileges mean that attackers can remotely target vulnerable systems at scale. This vulnerability could be leveraged as part of a broader attack chain to gather intelligence or facilitate further exploitation. The absence of patches increases the window of exposure, emphasizing the need for immediate mitigation. Industries handling sensitive data such as finance, healthcare, and government are particularly at risk due to the potential sensitivity of the leaked information.

Until an official patch is released, organizations should consider disabling CSS Exfil Protection version 1.1.0 to eliminate the attack surface. If disabling is not feasible, restrict the extension’s permissions and monitor its activity closely. Implement network-level monitoring to detect unusual outbound traffic patterns that may indicate data exfiltration attempts via CSS channels. Employ Content Security Policy (CSP) headers to limit the ability of malicious CSS or scripts to execute or exfiltrate data. Conduct thorough audits of browser extensions and third-party tools to ensure they do not introduce vulnerabilities. Educate security teams about this specific vulnerability to enhance detection capabilities. Prepare to deploy patches promptly once available and verify their effectiveness through testing. Consider deploying endpoint detection and response (EDR) solutions capable of identifying anomalous behaviors related to CSS parsing and data exfiltration. Maintain up-to-date inventories of browser extensions and their versions to facilitate rapid response to similar future vulnerabilities.