CVE-2024-52597

Published Nov 20, 2024

Last updated 3 months ago

CVSS medium 6.1

Overview

Description
2FAuth is a web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Versions prior to 5.4.1 are vulnerable to stored cross-site scripting due to improper headers in direct access to uploaded SVGs. The application allows uploading images in several places. One of the accepted types of image is SVG, which allows JS scripting. Therefore, by uploading a malicious SVG which contains JS code, an attacker which is able to drive a victim to the uploaded image could compromise that victim's session and access to their tokens. Version 5.4.1 contains a patch for the issue.
Source
security-advisories@github.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
6.1
Impact score
2.7
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Severity
MEDIUM

Weaknesses

security-advisories@github.com
CWE-79

Social media

Hype score
Not currently trending

  1. XBOW autonomously identified a persistent Cross Site Scripting vulnerability in the account migration feature of 2FAuth (CVE-2024-52597). Full details of the flaw and how it was discovered will be shared in our upcoming blog post. https://t.co/Rd8rRNWOxr

    @Xbow

    20 Nov 2024

    5181 Impressions

    2 Retweets

    34 Likes

    4 Bookmarks

    1 Reply

    3 Quotes

References