cve-2024-51989
Vulnerability from cvelistv5
Published
2024-11-07 17:50
Modified
2024-11-07 19:09
Severity ?
EPSS score ?
Summary
Cross-site Scripting (XSS) Vulnerability in PasswordPusher
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| pglombardo | PasswordPusher |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apnotic_llc:passwordpusher:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "passwordpusher",
"vendor": "apnotic_llc",
"versions": [
{
"lessThanOrEqual": "1.4.1.1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "1.48.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-51989",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T19:09:22.424934Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T19:09:41.347Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PasswordPusher",
"vendor": "pglombardo",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.41.1, \u003c= 1.48.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Password Pusher is an open source application to communicate sensitive information over the web. A cross-site scripting (XSS) vulnerability was identified in the PasswordPusher application, affecting versions `v1.41.1` through and including `v.1.48.0`. The issue arises from an un-sanitized parameter which could allow attackers to inject malicious JavaScript into the application. Users who self-host and have the login system enabled are affected. Exploitation of this vulnerability could expose user data, access to user sessions or take unintended actions on behalf of users. To exploit this vulnerability, an attacker would need to convince a user to click a malicious account confirmation link. It is highly recommended to update to version `v1.48.1` or later to mitigate this risk. There are no known workarounds for this vulnerability.\n\n### Solution\n\nUpdate to version `v1.48.1` or later where input sanitization has been applied to the account confirmation process. If updating is not immediately possible,"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T17:50:41.881Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-5chg-cq29-gfqf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-5chg-cq29-gfqf"
}
],
"source": {
"advisory": "GHSA-5chg-cq29-gfqf",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting (XSS) Vulnerability in PasswordPusher"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-51989",
"datePublished": "2024-11-07T17:50:41.881Z",
"dateReserved": "2024-11-04T17:46:16.775Z",
"dateUpdated": "2024-11-07T19:09:41.347Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-51989\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-11-07T18:15:17.953\",\"lastModified\":\"2024-11-08T19:01:03.880\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Password Pusher is an open source application to communicate sensitive information over the web. A cross-site scripting (XSS) vulnerability was identified in the PasswordPusher application, affecting versions `v1.41.1` through and including `v.1.48.0`. The issue arises from an un-sanitized parameter which could allow attackers to inject malicious JavaScript into the application. Users who self-host and have the login system enabled are affected. Exploitation of this vulnerability could expose user data, access to user sessions or take unintended actions on behalf of users. To exploit this vulnerability, an attacker would need to convince a user to click a malicious account confirmation link. It is highly recommended to update to version `v1.48.1` or later to mitigate this risk. There are no known workarounds for this vulnerability.\\n\\n### Solution\\n\\nUpdate to version `v1.48.1` or later where input sanitization has been applied to the account confirmation process. If updating is not immediately possible,\"},{\"lang\":\"es\",\"value\":\"Password Pusher es una aplicaci\u00f3n de c\u00f3digo abierto para comunicar informaci\u00f3n confidencial a trav\u00e9s de la web. Se identific\u00f3 una vulnerabilidad de Cross-Site Scripting (XSS) en la aplicaci\u00f3n PasswordPusher, que afecta a las versiones `v1.41.1` hasta `v.1.48.0` incluida. El problema surge de un par\u00e1metro no desinfectado que podr\u00eda permitir a los atacantes inyectar JavaScript malicioso en la aplicaci\u00f3n. Los usuarios que alojan el sistema ellos mismos y tienen habilitado el sistema de inicio de sesi\u00f3n se ven afectados. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda exponer los datos del usuario, el acceso a las sesiones del usuario o realizar acciones no deseadas en nombre de los usuarios. Para explotar esta vulnerabilidad, un atacante tendr\u00eda que convencer a un usuario de que haga clic en un enlace de confirmaci\u00f3n de cuenta malicioso. Se recomienda encarecidamente actualizar a la versi\u00f3n `v1.48.1` o posterior para mitigar este riesgo. No existen workarounds para esta vulnerabilidad. ### Soluci\u00f3n Actualice a la versi\u00f3n `v1.48.1` o posterior donde se haya aplicado la desinfecci\u00f3n de entrada al proceso de confirmaci\u00f3n de cuenta. Si la actualizaci\u00f3n no es posible de inmediato,\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-5chg-cq29-gfqf\",\"source\":\"security-advisories@github.com\"}]}}"
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.