Overview
- Description
- Umbrel is a home server OS for self-hosting. The login functionality of Umbrel before version 1.2.2 contains a reflected cross-site scripting (XSS) vulnerability in use-auth.tsx. An attacker can specify a malicious redirect query parameter to trigger the vulnerability. If a JavaScript URL is passed to the redirect parameter the attacker provided JavaScript will be executed after the user entered their password and clicked on login. This vulnerability is fixed in 1.2.2.
- Source
- security-advisories@github.com
- NVD status
- Awaiting Analysis
Risk scores
CVSS 4.0
- Type
- Secondary
- Base score
- 5.3
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- MEDIUM
CVSS 3.1
- Type
- Secondary
- Base score
- 5.4
- Impact score
- 2.5
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
- Severity
- MEDIUM
Weaknesses
- security-advisories@github.com
- CWE-79
Social media
- Hype score
- Not currently trending
CVE-2024-49379 Reflected XSS Vulnerability in Umbrel Pre-1.2.2 Login Functionality Umbrel is a home server operating system for self-hosting. Before version 1.2.2, Umbrel's login feature had a reflected cross-sit... https://t.co/l0Y5OBGukO
@VulmonFeeds
14 Nov 2024
31 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-49379 Umbrel is a home server OS for self-hosting. The login functionality of Umbrel before version 1.2.2 contains a reflected cross-site scripting (XSS) vulnerability in u… https://t.co/ig14FmwsA1
@CVEnew
13 Nov 2024
207 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
GHSL-2024-164: Remote Code Execution (RCE) via Cross-Site Scripting (XSS) in Umbrel - CVE-2024-49379 https://t.co/wxyubcSPrZ
@GHSecurityLab
8 Nov 2024
796 Impressions
4 Retweets
9 Likes
2 Bookmarks
1 Reply
1 Quote