CVE-2024-51989 (GCVE-0-2024-51989)

Vulnerability from cvelistv5 – Published: 2024-11-07 17:50 – Updated: 2024-11-07 19:09
VLAI?
Title
Cross-site Scripting (XSS) Vulnerability in PasswordPusher
Summary
Password Pusher is an open source application to communicate sensitive information over the web. A cross-site scripting (XSS) vulnerability was identified in the PasswordPusher application, affecting versions `v1.41.1` through and including `v.1.48.0`. The issue arises from an un-sanitized parameter which could allow attackers to inject malicious JavaScript into the application. Users who self-host and have the login system enabled are affected. Exploitation of this vulnerability could expose user data, access to user sessions or take unintended actions on behalf of users. To exploit this vulnerability, an attacker would need to convince a user to click a malicious account confirmation link. It is highly recommended to update to version `v1.48.1` or later to mitigate this risk. There are no known workarounds for this vulnerability. ### Solution Update to version `v1.48.1` or later where input sanitization has been applied to the account confirmation process. If updating is not immediately possible,
Severity ?
7.1 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
Vendor Product Version
pglombardo PasswordPusher Affected: >= 1.41.1, <= 1.48.1
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:apnotic_llc:passwordpusher:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "passwordpusher",
            "vendor": "apnotic_llc",
            "versions": [
              {
                "lessThanOrEqual": "1.4.1.1",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              },
              {
                "lessThanOrEqual": "1.48.1",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-51989",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-07T19:09:22.424934Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-07T19:09:41.347Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "PasswordPusher",
          "vendor": "pglombardo",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.41.1, \u003c= 1.48.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Password Pusher is an open source application to communicate sensitive information over the web. A cross-site scripting (XSS) vulnerability was identified in the PasswordPusher application, affecting versions `v1.41.1` through and including `v.1.48.0`. The issue arises from an un-sanitized parameter which could allow attackers to inject malicious JavaScript into the application. Users who self-host and have the login system enabled are affected.  Exploitation of this vulnerability could expose user data, access to user sessions or take unintended actions on behalf of users. To exploit this vulnerability, an attacker would need to convince a user to click a malicious account confirmation link. It is highly recommended to update to version `v1.48.1` or later to mitigate this risk. There are no known workarounds for this vulnerability.\n\n### Solution\n\nUpdate to version `v1.48.1` or later where input sanitization has been applied to the account confirmation process.  If updating is not immediately possible,"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-07T17:50:41.881Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-5chg-cq29-gfqf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-5chg-cq29-gfqf"
        }
      ],
      "source": {
        "advisory": "GHSA-5chg-cq29-gfqf",
        "discovery": "UNKNOWN"
      },
      "title": "Cross-site Scripting (XSS) Vulnerability in PasswordPusher"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-51989",
    "datePublished": "2024-11-07T17:50:41.881Z",
    "dateReserved": "2024-11-04T17:46:16.775Z",
    "dateUpdated": "2024-11-07T19:09:41.347Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Password Pusher is an open source application to communicate sensitive information over the web. A cross-site scripting (XSS) vulnerability was identified in the PasswordPusher application, affecting versions `v1.41.1` through and including `v.1.48.0`. The issue arises from an un-sanitized parameter which could allow attackers to inject malicious JavaScript into the application. Users who self-host and have the login system enabled are affected.  Exploitation of this vulnerability could expose user data, access to user sessions or take unintended actions on behalf of users. To exploit this vulnerability, an attacker would need to convince a user to click a malicious account confirmation link. It is highly recommended to update to version `v1.48.1` or later to mitigate this risk. There are no known workarounds for this vulnerability.\\n\\n### Solution\\n\\nUpdate to version `v1.48.1` or later where input sanitization has been applied to the account confirmation process.  If updating is not immediately possible,\"}, {\"lang\": \"es\", \"value\": \"Password Pusher es una aplicaci\\u00f3n de c\\u00f3digo abierto para comunicar informaci\\u00f3n confidencial a trav\\u00e9s de la web. Se identific\\u00f3 una vulnerabilidad de Cross-Site Scripting (XSS) en la aplicaci\\u00f3n PasswordPusher, que afecta a las versiones `v1.41.1` hasta `v.1.48.0` incluida. El problema surge de un par\\u00e1metro no desinfectado que podr\\u00eda permitir a los atacantes inyectar JavaScript malicioso en la aplicaci\\u00f3n. Los usuarios que alojan el sistema ellos mismos y tienen habilitado el sistema de inicio de sesi\\u00f3n se ven afectados. La explotaci\\u00f3n de esta vulnerabilidad podr\\u00eda exponer los datos del usuario, el acceso a las sesiones del usuario o realizar acciones no deseadas en nombre de los usuarios. Para explotar esta vulnerabilidad, un atacante tendr\\u00eda que convencer a un usuario de que haga clic en un enlace de confirmaci\\u00f3n de cuenta malicioso. Se recomienda encarecidamente actualizar a la versi\\u00f3n `v1.48.1` o posterior para mitigar este riesgo. No existen workarounds para esta vulnerabilidad. ### Soluci\\u00f3n Actualice a la versi\\u00f3n `v1.48.1` o posterior donde se haya aplicado la desinfecci\\u00f3n de entrada al proceso de confirmaci\\u00f3n de cuenta. Si la actualizaci\\u00f3n no es posible de inmediato,\"}]",
      "id": "CVE-2024-51989",
      "lastModified": "2024-11-08T19:01:03.880",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N\", \"baseScore\": 7.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 4.2}]}",
      "published": "2024-11-07T18:15:17.953",
      "references": "[{\"url\": \"https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-5chg-cq29-gfqf\", \"source\": \"security-advisories@github.com\"}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-51989\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-11-07T18:15:17.953\",\"lastModified\":\"2024-11-08T19:01:03.880\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Password Pusher is an open source application to communicate sensitive information over the web. A cross-site scripting (XSS) vulnerability was identified in the PasswordPusher application, affecting versions `v1.41.1` through and including `v.1.48.0`. The issue arises from an un-sanitized parameter which could allow attackers to inject malicious JavaScript into the application. Users who self-host and have the login system enabled are affected.  Exploitation of this vulnerability could expose user data, access to user sessions or take unintended actions on behalf of users. To exploit this vulnerability, an attacker would need to convince a user to click a malicious account confirmation link. It is highly recommended to update to version `v1.48.1` or later to mitigate this risk. There are no known workarounds for this vulnerability.\\n\\n### Solution\\n\\nUpdate to version `v1.48.1` or later where input sanitization has been applied to the account confirmation process.  If updating is not immediately possible,\"},{\"lang\":\"es\",\"value\":\"Password Pusher es una aplicaci\u00f3n de c\u00f3digo abierto para comunicar informaci\u00f3n confidencial a trav\u00e9s de la web. Se identific\u00f3 una vulnerabilidad de Cross-Site Scripting (XSS) en la aplicaci\u00f3n PasswordPusher, que afecta a las versiones `v1.41.1` hasta `v.1.48.0` incluida. El problema surge de un par\u00e1metro no desinfectado que podr\u00eda permitir a los atacantes inyectar JavaScript malicioso en la aplicaci\u00f3n. Los usuarios que alojan el sistema ellos mismos y tienen habilitado el sistema de inicio de sesi\u00f3n se ven afectados. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda exponer los datos del usuario, el acceso a las sesiones del usuario o realizar acciones no deseadas en nombre de los usuarios. Para explotar esta vulnerabilidad, un atacante tendr\u00eda que convencer a un usuario de que haga clic en un enlace de confirmaci\u00f3n de cuenta malicioso. Se recomienda encarecidamente actualizar a la versi\u00f3n `v1.48.1` o posterior para mitigar este riesgo. No existen workarounds para esta vulnerabilidad. ### Soluci\u00f3n Actualice a la versi\u00f3n `v1.48.1` o posterior donde se haya aplicado la desinfecci\u00f3n de entrada al proceso de confirmaci\u00f3n de cuenta. Si la actualizaci\u00f3n no es posible de inmediato,\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-5chg-cq29-gfqf\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-51989\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-07T19:09:22.424934Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:apnotic_llc:passwordpusher:*:*:*:*:*:*:*:*\"], \"vendor\": \"apnotic_llc\", \"product\": \"passwordpusher\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"1.4.1.1\"}, {\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"1.48.1\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-07T19:08:58.589Z\"}}], \"cna\": {\"title\": \"Cross-site Scripting (XSS) Vulnerability in PasswordPusher\", \"source\": {\"advisory\": \"GHSA-5chg-cq29-gfqf\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"pglombardo\", \"product\": \"PasswordPusher\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 1.41.1, \u003c= 1.48.1\"}]}], \"references\": [{\"url\": \"https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-5chg-cq29-gfqf\", \"name\": \"https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-5chg-cq29-gfqf\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Password Pusher is an open source application to communicate sensitive information over the web. A cross-site scripting (XSS) vulnerability was identified in the PasswordPusher application, affecting versions `v1.41.1` through and including `v.1.48.0`. The issue arises from an un-sanitized parameter which could allow attackers to inject malicious JavaScript into the application. Users who self-host and have the login system enabled are affected.  Exploitation of this vulnerability could expose user data, access to user sessions or take unintended actions on behalf of users. To exploit this vulnerability, an attacker would need to convince a user to click a malicious account confirmation link. It is highly recommended to update to version `v1.48.1` or later to mitigate this risk. There are no known workarounds for this vulnerability.\\n\\n### Solution\\n\\nUpdate to version `v1.48.1` or later where input sanitization has been applied to the account confirmation process.  If updating is not immediately possible,\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-11-07T17:50:41.881Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-51989\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-07T19:09:41.347Z\", \"dateReserved\": \"2024-11-04T17:46:16.775Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-11-07T17:50:41.881Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.