CVE-2024-47531

Exploit

EPSS 0.3%
Veröffentlicht 30.09.2024 16:15:09
Zuletzt bearbeitet 15.11.2024 18:02:14
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Scout contains insufficient output escaping of attachment names

Scout is a web-based visualizer for VCF-files. Due to the lack of sanitization in the filename, it is possible bypass intended file extension and make users download malicious files with any extension. With malicious content injected inside the file data and users unknowingly downloading it and opening may lead to the compromise of users' devices or data. This vulnerability is fixed in 4.89.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Clinical-genomics ≫ Scout Version < 4.89

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.3%	0.217

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	3.5	2.1	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
security-advisories@github.com	4.6	2.1	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

https://github.com/Clinical-Genomics/scout/commit/f59e50f8ea596e641da8a0e9c7a33c0696bcbea5

Patch

https://github.com/Clinical-Genomics/scout/security/advisories/GHSA-24xv-q29v-3h6r

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-47531

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-47531

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-47531

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-47531