Overview
- Description
- Scoold is a Q&A and a knowledge sharing platform for teams. A semicolon path injection vulnerability was found on the /api;/config endpoint. By appending a semicolon in the URL, attackers can bypass authentication and gain unauthorised access to sensitive configuration data. Furthermore, PUT requests on the /api;/config endpoint while setting the Content-Type: application/hocon header allow unauthenticated attackers to file reading via HOCON file inclusion. This allows attackers to retrieve sensitive information such as configuration files from the server, which can be leveraged for further exploitation. The vulnerability has been fixed in Scoold 1.64.0. A workaround would be to disable the Scoold API with scoold.api_enabled = false.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
Risk scores
CVSS 4.0
- Type
- Secondary
- Base score
- 8.7
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
CVSS 3.1
- Type
- Primary
- Base score
- 5.3
- Impact score
- 1.4
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- Severity
- MEDIUM
Weaknesses
- security-advisories@github.com
- CWE-288
Social media
- Hype score
- Not currently trending
XBOW autonomously discovered CVE-2024-50334, a critical authentication bypass in Scoold, an open-source Q&A webapp used by major companies like Cisco and IBM. Our latest blog post details how it found the flaw: https://t.co/FBgT8R9dXR
@Xbow
14 Nov 2024
17891 Impressions
31 Retweets
94 Likes
26 Bookmarks
3 Replies
5 Quotes
CVE-2024-50334 Scoold is a Q&A and a knowledge sharing platform for teams. A semicolon path injection vulnerability was found on the /api;/config endpoint. By appending a semicolon … https://t.co/K3LTPn3tqw
@CVEnew
29 Oct 2024
218 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2024-50334: HIGH] Warning: Scoold platform had a serious security vulnerability. Update to version 1.64.0 or disable the API. Attackers can bypass authentication and access sensitive information by exploitin...#cybersecurity,#vulnerability https://t.co/W62OdYoUF5 https://t.c
@CveFindCom
29 Oct 2024
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erudika:scoold:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "DE234DC7-9FDB-4DE5-9EC7-B8A3E420E481",
"versionEndIncluding": "1.64.0"
}
],
"operator": "OR"
}
]
}
]