Lucene search

[email protected]CVE-2024-38521

HistoryJun 28, 2024 - 4:15 p.m.

CVE-2024-38521

2024-06-2816:15:04

CWE-79

[email protected]

web.nvd.nist.gov

cve-2024-38521

hush line

stored xss

inbox

patched

version 0.1.0

open-source

anonymous-tip-line-as-a-service

jinja2

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.5 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Hush Line is a free and open-source, anonymous-tip-line-as-a-service for organizations or individuals. There is a stored XSS in the Inbox. The input is displayed using the safe Jinja2 attribute, and thus not sanitized upon display. This issue has been patched in version 0.1.0.

Affected configurations

Vulners

Node

scidsghushlineRange<0.1.0

CNA Affected

[
  {
    "vendor": "scidsg",
    "product": "hushline",
    "versions": [
      {
        "version": "< 0.1.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/scidsg/hushline/security/advisories/GHSA-4v8c-r6h2-fhh3

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.5 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for CVE-2024-38521

cvelist1 nvd1