Overview
- Description
- Zusam is a free and open-source way to self-host private forums. Prior to version 0.5.6, specially crafted SVG files uploaded to the service as images allow for unrestricted script execution on (raw) image load. With certain payloads, theft of the target user’s long-lived session token is possible. Note that Zusam, at the time of writing, uses a user’s static API key as a long-lived session token, and these terms can be used interchangeably on the platform. This session token/API key remains valid indefinitely, so long as the user doesn’t expressly request a new one via their Settings page. Version 0.5.6 fixes the cross-site scripting vulnerability.
- Source
- security-advisories@github.com
- NVD status
- Awaiting Analysis
Risk scores
CVSS 3.1
- Type
- Secondary
- Base score
- 8.8
- Impact score
- 5.3
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
- Severity
- HIGH
Weaknesses
- security-advisories@github.com
- CWE-79
Social media
- Hype score
- Not currently trending
CVE-2024-51492 Critical XSS Vulnerability in Zusam Allows Session Token Theft Z... https://t.co/FDmDCkTv5D Vulnerability Alert Subscriptions: https://t.co/hrQhy5uz4x
@VulmonFeeds
2 Nov 2024
44 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-51492 Zusam is a free and open-source way to self-host private forums. Prior to version 0.5.6, specially crafted SVG files uploaded to the service as images allow for unres… https://t.co/HbUtgOCEnE
@CVEnew
1 Nov 2024
288 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2024-51492: HIGH] Zusam, a self-hosted forum platform, fixed a critical cross-site scripting vulnerability in version 0.5.6. Ensure you update to protect against unrestricted script execution. #cybersecurity#cybersecurity,#vulnerability https://t.co/5tNHItjPmi https://t.co/a
@CveFindCom
1 Nov 2024
18 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes