Products
Hush Line
- 0.10
Source
security-advisories@github.com
Tags
CVE-2024-38523 details
Published : June 27, 2024, 8:15 p.m.
Last Modified : June 27, 2024, 8:15 p.m.
Last Modified : June 27, 2024, 8:15 p.m.
Description
Hush Line is a free and open-source, anonymous-tip-line-as-a-service for organizations or individuals. The TOTP authentication flow has multiple issues that weakens its one-time nature. Specifically, the lack of 2FA for changing security settings allows attacker with CSRF or XSS primitives to change such settings without user interaction and credentials are required. This vulnerability has been patched in version 0.10.
CVSS Score
| 1 | 2 | 3 | 4 | 5 | 6 | 7.5 | 8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-287 | Improper Authentication | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
7.5
Exploitability Score
1.6
Impact Score
5.9
Base Severity
HIGH
Vector String : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
References
| URL | Source |
|---|---|
| https://github.com/scidsg/hushline/pull/376 | security-advisories@github.com |
| https://github.com/scidsg/hushline/security/advisories/GHSA-4c38-hhxx-9mhx | security-advisories@github.com |
This website uses the NVD API, but is not approved or certified by it.