Lucene search

GitHub_MCVELIST:CVE-2024-47530

HistorySep 30, 2024 - 3:17 p.m.

CVE-2024-47530 Scout contains an Open Redirect on Login via `next`

2024-09-3015:17:39

CWE-601

GitHub_M

www.cve.org

scout

open redirect

vcf-files

phishing

api endpoint

sanitization

scheme validation

https downgrade

fix 4.89

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

EPSS

0.001

Percentile

26.7%

JSON

Scout is a web-based visualizer for VCF-files. Open redirect vulnerability allows performing phishing attacks on users by redirecting them to malicious page. /login API endpoint is vulnerable to open redirect attack via next parameter due to absence of sanitization logic. Additionally, due to lack of scheme validation, HTTPS Downgrade Attack can be performed on the users. This vulnerability is fixed in 4.89.

CNA Affected

[
  {
    "vendor": "Clinical-Genomics",
    "product": "scout",
    "versions": [
      {
        "version": "< 4.89",
        "status": "affected"
      }
    ]
  }
]

References

github.com/Clinical-Genomics/scout/commit/50055edfca9a7183b248019af97e1fb0b0065a02

github.com/Clinical-Genomics/scout/security/advisories/GHSA-3x45-2m34-x95v

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

EPSS

0.001

Percentile

26.7%

JSON

Related for CVELIST:CVE-2024-47530