admin/nvd-json-data-feeds
1
0
Fork 0
mirror of https://github.com/fkie-cad/nvd-json-data-feeds.git synced 2025-07-09 16:05:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
nvd-json-data-feeds/CVE-2024/CVE-2024-514xx/CVE-2024-51492.json
cad-safe-bot e6cbafdc40 Auto-Update: 2024-12-08T03:00:18.988682+00:00
2024-12-08 03:06:42 +00:00

72 lines
3.4 KiB
JSON
Raw Blame History

{
"id": "CVE-2024-51492",
"sourceIdentifier": "security-advisories@github.com",
"published": "2024-11-01T17:15:18.930",
"lastModified": "2024-11-01T21:15:15.080",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Zusam is a free and open-source way to self-host private forums. Prior to version 0.5.6, specially crafted SVG files uploaded to the service as images allow for unrestricted script execution on (raw) image load. With certain payloads, theft of the target user\u2019s long-lived session token is possible. Note that Zusam, at the time of writing, uses a user\u2019s static API key as a long-lived session token, and these terms can be used interchangeably on the platform. This session token/API key remains valid indefinitely, so long as the user doesn\u2019t expressly request a new one via their Settings page. Version 0.5.6 fixes the cross-site scripting vulnerability."
},
{
"lang": "es",
"value": "Zusam es una forma gratuita y de c\u00f3digo abierto de alojar foros privados. Antes de la versi\u00f3n 0.5.6, los archivos SVG especialmente manipulados que se sub\u00edan al servicio como im\u00e1genes permit\u00edan la ejecuci\u00f3n sin restricciones de scripts al cargar im\u00e1genes (sin procesar). Con ciertos payloads, es posible el robo del token de sesi\u00f3n de larga duraci\u00f3n del usuario objetivo. Tenga en cuenta que, al momento de escribir este art\u00edculo, Zusam usa la clave API est\u00e1tica de un usuario como token de sesi\u00f3n de larga duraci\u00f3n, y estos t\u00e9rminos se pueden usar indistintamente en la plataforma. Este token de sesi\u00f3n/clave API sigue siendo v\u00e1lido indefinidamente, siempre y cuando el usuario no solicite expresamente uno nuevo a trav\u00e9s de su p\u00e1gina de Configuraci\u00f3n. La versi\u00f3n 0.5.6 corrige la vulnerabilidad de cross site scripting."
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "security-advisories@github.com",
"type": "Secondary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "REQUIRED",
"scope": "CHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"availabilityImpact": "LOW"
},
"exploitabilityScore": 2.8,
"impactScore": 5.3
}
]
},
"weaknesses": [
{
"source": "security-advisories@github.com",
"type": "Secondary",
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
],
"references": [
{
"url": "https://github.com/zusam/zusam/commit/5930fdf86fa4abed01f0b345c8ec3c443656db9a",
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/zusam/zusam/releases/tag/0.5.6",
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/zusam/zusam/security/advisories/GHSA-96fx-5rqv-jfxh",
"source": "security-advisories@github.com"
},
{
"url": "https://pfeister.dev/CVE-2024-51492",
"source": "security-advisories@github.com"
}
]
}
Reference in New Issue View Git Blame Copy Permalink