GHSA-qm5v-pj64-852j: 
PHP vulnerability analysis and mitigation

A moderate severity vulnerability was identified in Passbolt API (composer://passbolt/passbolt_api) affecting versions prior to 2.11.0. The vulnerability involves a tabnabbing issue when opening URIs with the menu 'Open URI in a new tab' function (GitHub Advisory).

The vulnerability has a CVSS v3.1 score of 5.5 (Moderate) with the following metrics: Attack Vector: Network, Attack Complexity: Low, Privileges Required: Low, User Interaction: Required, Scope: Unchanged, and Impact levels (Confidentiality, Integrity, Availability) all rated as Low. The vulnerability is associated with CWE-657 (GitHub Advisory).

When exploited, the vulnerability allows a malicious page to access the window.opener object. This access could be used to change the window.opener.location to redirect users to phishing pages or execute JavaScript functions through the AppJS on the user's behalf, potentially compromising data integrity (GitHub Advisory).

The vulnerability was patched in version 2.11.0 of Passbolt API. The fix involves modifying the code that opens new windows via window.open() to include the noopener attribute, preventing the new window from accessing the opener window (GitHub Advisory).