The Proctorio Chrome Extension contains multiple window.addEventListener('message', ...) handlers that do not properly validate the origin of incoming messages. Specifically, an internal messaging bridge processes messages based solely on the presence of a fromWebsite property without verifying the event.origin attribute resulting in unauthorized interaction with extension functionality.

It's important to note, that the lack of CSRF protection is generally out of scope, but I reported it, because this request is just a simple GET method. An attacker is able to craft an URL, what contains the ID of a report, and if the user, who has access to the report, clicks on it, the report is being self closed.

A potential Server-Side Request Forgery (SSRF) vulnerability was identified in the Cloudflare image transformation feature via URL injection on the domain https://www.hckrt.com. The service allows arbitrary URLs to be processed through the /cdn-cgi/image/ endpoint, which may permit unauthorized internal or external requests.