Lucene search

GitHub_MCVE-2024-47530

HistorySep 30, 2024 - 4:15 p.m.

CVE-2024-47530

2024-09-3016:15:09

CWE-601

GitHub_M

web.nvd.nist.gov

scout web visualizer

open redirect

phishing

malicious page

https downgrade attack

vulnerability fixed

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

EPSS

0.001

Percentile

26.7%

JSON

Scout is a web-based visualizer for VCF-files. Open redirect vulnerability allows performing phishing attacks on users by redirecting them to malicious page. /login API endpoint is vulnerable to open redirect attack via next parameter due to absence of sanitization logic. Additionally, due to lack of scheme validation, HTTPS Downgrade Attack can be performed on the users. This vulnerability is fixed in 4.89.

Affected configurations

Vulners

Vulnrichment

Node

clinical-genomicsscoutRange<4.89

VendorProductVersionCPE
clinical-genomicsscout*cpe:2.3:a:clinical-genomics:scout:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
clinical-genomics	scout	*	cpe:2.3:a:clinical-genomics:scout::::::::

CNA Affected

[
  {
    "vendor": "Clinical-Genomics",
    "product": "scout",
    "versions": [
      {
        "version": "< 4.89",
        "status": "affected"
      }
    ]
  }
]

References

github.com/Clinical-Genomics/scout/commit/50055edfca9a7183b248019af97e1fb0b0065a02

github.com/Clinical-Genomics/scout/security/advisories/GHSA-3x45-2m34-x95v

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

EPSS

0.001

Percentile

26.7%

JSON

Related for CVE-2024-47530