Search criteria
4 vulnerabilities by Clinical-Genomics
CVE-2024-47531 (GCVE-0-2024-47531)
Vulnerability from cvelistv5 – Published: 2024-09-30 15:26 – Updated: 2024-09-30 16:31
VLAI?
Summary
Scout is a web-based visualizer for VCF-files. Due to the lack of sanitization in the filename, it is possible bypass intended file extension and make users download malicious files with any extension. With malicious content injected inside the file data and users unknowingly downloading it and opening may lead to the compromise of users' devices or data. This vulnerability is fixed in 4.89.
Severity ?
4.6 (Medium)
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Clinical-Genomics | scout |
Affected:
<= 4.88.1
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:clinical-genomics:scout:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "scout",
"vendor": "clinical-genomics",
"versions": [
{
"lessThanOrEqual": "4.88.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47531",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T16:30:09.440058Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T16:31:07.889Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "scout",
"vendor": "Clinical-Genomics",
"versions": [
{
"status": "affected",
"version": "\u003c= 4.88.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Scout is a web-based visualizer for VCF-files. Due to the lack of sanitization in the filename, it is possible bypass intended file extension and make users download malicious files with any extension. With malicious content injected inside the file data and users unknowingly downloading it and opening may lead to the compromise of users\u0027 devices or data. This vulnerability is fixed in 4.89."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T15:26:49.421Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Clinical-Genomics/scout/security/advisories/GHSA-24xv-q29v-3h6r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Clinical-Genomics/scout/security/advisories/GHSA-24xv-q29v-3h6r"
},
{
"name": "https://github.com/Clinical-Genomics/scout/commit/f59e50f8ea596e641da8a0e9c7a33c0696bcbea5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Clinical-Genomics/scout/commit/f59e50f8ea596e641da8a0e9c7a33c0696bcbea5"
}
],
"source": {
"advisory": "GHSA-24xv-q29v-3h6r",
"discovery": "UNKNOWN"
},
"title": "Scout contains insufficient output escaping of attachment names"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47531",
"datePublished": "2024-09-30T15:26:49.421Z",
"dateReserved": "2024-09-25T21:46:10.929Z",
"dateUpdated": "2024-09-30T16:31:07.889Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47530 (GCVE-0-2024-47530)
Vulnerability from cvelistv5 – Published: 2024-09-30 15:17 – Updated: 2024-09-30 15:45
VLAI?
Summary
Scout is a web-based visualizer for VCF-files. Open redirect vulnerability allows performing phishing attacks on users by redirecting them to malicious page. /login API endpoint is vulnerable to open redirect attack via next parameter due to absence of sanitization logic. Additionally, due to lack of scheme validation, HTTPS Downgrade Attack can be performed on the users. This vulnerability is fixed in 4.89.
Severity ?
5.4 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Clinical-Genomics | scout |
Affected:
< 4.89
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:clinical-genomics:scout:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "scout",
"vendor": "clinical-genomics",
"versions": [
{
"lessThan": "4.89",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47530",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T15:44:10.932306Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T15:45:37.010Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "scout",
"vendor": "Clinical-Genomics",
"versions": [
{
"status": "affected",
"version": "\u003c 4.89"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Scout is a web-based visualizer for VCF-files. Open redirect vulnerability allows performing phishing attacks on users by redirecting them to malicious page. /login API endpoint is vulnerable to open redirect attack via next parameter due to absence of sanitization logic. Additionally, due to lack of scheme validation, HTTPS Downgrade Attack can be performed on the users. This vulnerability is fixed in 4.89."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T15:17:39.731Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Clinical-Genomics/scout/security/advisories/GHSA-3x45-2m34-x95v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Clinical-Genomics/scout/security/advisories/GHSA-3x45-2m34-x95v"
},
{
"name": "https://github.com/Clinical-Genomics/scout/commit/50055edfca9a7183b248019af97e1fb0b0065a02",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Clinical-Genomics/scout/commit/50055edfca9a7183b248019af97e1fb0b0065a02"
}
],
"source": {
"advisory": "GHSA-3x45-2m34-x95v",
"discovery": "UNKNOWN"
},
"title": "Scout contains an Open Redirect on Login via `next`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47530",
"datePublished": "2024-09-30T15:17:39.731Z",
"dateReserved": "2024-09-25T21:46:10.929Z",
"dateUpdated": "2024-09-30T15:45:37.010Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1592 (GCVE-0-2022-1592)
Vulnerability from cvelistv5 – Published: 2022-05-05 10:20 – Updated: 2024-08-03 00:10
VLAI?
Summary
Server-Side Request Forgery in scout in GitHub repository clinical-genomics/scout prior to v4.42. An attacker could make the application perform arbitrary requests to fishing steal cookie, request to private area, or lead to xss...
Severity ?
9.4 (Critical)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| clinical-genomics | clinical-genomics/scout |
Affected:
unspecified , < v4.42
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:10:03.567Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/352b39da-0f2e-415a-9793-5480cae8bd27"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/clinical-genomics/scout/commit/b0ef15f4737d0c801154c1991b52ff5cab4f5c83"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "clinical-genomics/scout",
"vendor": "clinical-genomics",
"versions": [
{
"lessThan": "v4.42",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery in scout in GitHub repository clinical-genomics/scout prior to v4.42. An attacker could make the application perform arbitrary requests to fishing steal cookie, request to private area, or lead to xss..."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-05T10:20:09",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/352b39da-0f2e-415a-9793-5480cae8bd27"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/clinical-genomics/scout/commit/b0ef15f4737d0c801154c1991b52ff5cab4f5c83"
}
],
"source": {
"advisory": "352b39da-0f2e-415a-9793-5480cae8bd27",
"discovery": "EXTERNAL"
},
"title": "Server-Side Request Forgery in scout in clinical-genomics/scout",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1592",
"STATE": "PUBLIC",
"TITLE": "Server-Side Request Forgery in scout in clinical-genomics/scout"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "clinical-genomics/scout",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "v4.42"
}
]
}
}
]
},
"vendor_name": "clinical-genomics"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Server-Side Request Forgery in scout in GitHub repository clinical-genomics/scout prior to v4.42. An attacker could make the application perform arbitrary requests to fishing steal cookie, request to private area, or lead to xss..."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918 Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/352b39da-0f2e-415a-9793-5480cae8bd27",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/352b39da-0f2e-415a-9793-5480cae8bd27"
},
{
"name": "https://github.com/clinical-genomics/scout/commit/b0ef15f4737d0c801154c1991b52ff5cab4f5c83",
"refsource": "MISC",
"url": "https://github.com/clinical-genomics/scout/commit/b0ef15f4737d0c801154c1991b52ff5cab4f5c83"
}
]
},
"source": {
"advisory": "352b39da-0f2e-415a-9793-5480cae8bd27",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1592",
"datePublished": "2022-05-05T10:20:09",
"dateReserved": "2022-05-05T00:00:00",
"dateUpdated": "2024-08-03T00:10:03.567Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1554 (GCVE-0-2022-1554)
Vulnerability from cvelistv5 – Published: 2022-05-03 08:20 – Updated: 2024-08-03 00:10
VLAI?
Summary
Path Traversal due to `send_file` call in GitHub repository clinical-genomics/scout prior to 4.52.
Severity ?
6.8 (Medium)
CWE
- CWE-36 - Absolute Path Traversal
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| clinical-genomics | clinical-genomics/scout |
Affected:
unspecified , < 4.52
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:10:02.933Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/7acac778-5ba4-4f02-99e2-e4e17a81e600"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/clinical-genomics/scout/commit/952a2e2319af2d95d22b017a561730feac086ff1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "clinical-genomics/scout",
"vendor": "clinical-genomics",
"versions": [
{
"lessThan": "4.52",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Path Traversal due to `send_file` call in GitHub repository clinical-genomics/scout prior to 4.52."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-36",
"description": "CWE-36 Absolute Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-03T08:20:09",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/7acac778-5ba4-4f02-99e2-e4e17a81e600"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/clinical-genomics/scout/commit/952a2e2319af2d95d22b017a561730feac086ff1"
}
],
"source": {
"advisory": "7acac778-5ba4-4f02-99e2-e4e17a81e600",
"discovery": "EXTERNAL"
},
"title": "Path Traversal due to `send_file` call in clinical-genomics/scout",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1554",
"STATE": "PUBLIC",
"TITLE": "Path Traversal due to `send_file` call in clinical-genomics/scout"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "clinical-genomics/scout",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.52"
}
]
}
}
]
},
"vendor_name": "clinical-genomics"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Path Traversal due to `send_file` call in GitHub repository clinical-genomics/scout prior to 4.52."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-36 Absolute Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/7acac778-5ba4-4f02-99e2-e4e17a81e600",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/7acac778-5ba4-4f02-99e2-e4e17a81e600"
},
{
"name": "https://github.com/clinical-genomics/scout/commit/952a2e2319af2d95d22b017a561730feac086ff1",
"refsource": "MISC",
"url": "https://github.com/clinical-genomics/scout/commit/952a2e2319af2d95d22b017a561730feac086ff1"
}
]
},
"source": {
"advisory": "7acac778-5ba4-4f02-99e2-e4e17a81e600",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1554",
"datePublished": "2022-05-03T08:20:09",
"dateReserved": "2022-05-03T00:00:00",
"dateUpdated": "2024-08-03T00:10:02.933Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}