admin/nvd-json-data-feeds
1
0
Fork 0
mirror of https://github.com/fkie-cad/nvd-json-data-feeds.git synced 2025-05-28 17:21:36 +00:00
Code Issues Packages Projects Releases Wiki Activity
nvd-json-data-feeds/CVE-2024/CVE-2024-567xx/CVE-2024-56733.json
cad-safe-bot 22fb3bea38 Auto-Update: 2025-01-05T03:00:19.815336+00:00
2025-01-05 03:03:46 +00:00

60 lines
4.1 KiB
JSON
Raw Blame History

{
"id": "CVE-2024-56733",
"sourceIdentifier": "security-advisories@github.com",
"published": "2024-12-30T17:15:09.990",
"lastModified": "2024-12-30T17:15:09.990",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Password Pusher is an open source application to communicate sensitive information over the web. A vulnerability has been reported in versions 1.50.3 and prior where an attacker can copy the session cookie before a user logs out, potentially allowing session hijacking. Although the session token is replaced and invalidated upon logout, if an attacker manages to capture the session cookie before this process, they can use the token to gain unauthorized access to the user's session until the token expires or is manually cleared. This vulnerability hinges on the attacker's ability to access the session cookie during an active session, either through a man-in-the-middle attack, by exploiting another vulnerability like XSS, or via direct access to the victim's device. Although there is no direct resolution to this vulnerability, it is recommended to always use the latest version of Password Pusher to best mitigate risk. If self-hosting, ensure Password Pusher is hosted exclusively over SSL connections to encrypt traffic and prevent session cookies from being intercepted in transit. Additionally, implement best practices in local security to safeguard user systems, browsers, and data against unauthorized access."
},
{
"lang": "es",
"value": "Password Pusher es una aplicaci\u00f3n de c\u00f3digo abierto para comunicar informaci\u00f3n confidencial a trav\u00e9s de la web. Se ha informado de una vulnerabilidad en las versiones 1.50.3 y anteriores en las que un atacante puede copiar la cookie de sesi\u00f3n antes de que un usuario cierre la sesi\u00f3n, lo que potencialmente permite el secuestro de la sesi\u00f3n. Aunque el token de sesi\u00f3n se reemplaza y se invalida al cerrar la sesi\u00f3n, si un atacante logra capturar la cookie de sesi\u00f3n antes de este proceso, puede usar el token para obtener acceso no autorizado a la sesi\u00f3n del usuario hasta que el token caduque o se borre manualmente. Esta vulnerabilidad depende de la capacidad del atacante para acceder a la cookie de sesi\u00f3n durante una sesi\u00f3n activa, ya sea a trav\u00e9s de un ataque de intermediario, explotando otra vulnerabilidad como XSS o mediante el acceso directo al dispositivo de la v\u00edctima. Aunque no existe una soluci\u00f3n directa para esta vulnerabilidad, se recomienda utilizar siempre la \u00faltima versi\u00f3n de Password Pusher para mitigar mejor el riesgo. Si se aloja por cuenta propia, aseg\u00farese de que Password Pusher est\u00e9 alojado exclusivamente en conexiones SSL para cifrar el tr\u00e1fico y evitar que las cookies de sesi\u00f3n se intercepten en tr\u00e1nsito. Adem\u00e1s, implemente las mejores pr\u00e1cticas en seguridad local para proteger los sistemas, navegadores y datos de los usuarios contra el acceso no autorizado."
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "security-advisories@github.com",
"type": "Secondary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"attackVector": "LOCAL",
"attackComplexity": "HIGH",
"privilegesRequired": "HIGH",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "NONE"
},
"exploitabilityScore": 0.5,
"impactScore": 5.2
}
]
},
"weaknesses": [
{
"source": "security-advisories@github.com",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-384"
}
]
}
],
"references": [
{
"url": "https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-4fwj-m62q-pp47",
"source": "security-advisories@github.com"
}
]
}
Reference in New Issue View Git Blame Copy Permalink