CVE-2024-44730

Oct. 16, 2024, 7:35 p.m.

9.1
Critical

Description

Incorrect access control in the function handleDataChannelChat(dataMessage) of Mirotalk before commit c21d58 allows attackers to forge chat messages using an arbitrary sender name.

Product(s) Impacted

Product Versions
Mirotalk
  • ['before commit c21d58']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-924
Improper Enforcement of Message Integrity During Transmission in a Communication Channel
The product establishes a communication channel with an endpoint and receives a message from that endpoint, but it does not sufficiently ensure that the message was not modified during transmission.

References

https://aware7.com/de/blog/schwachstellen-in-videokonferenzsystemen/
https://github.com/miroslavpejic85
https://github.com/miroslavpejic85/mirotalk
https://github.com/miroslavpejic85/mirotalksfu/blob/main/SECURITY.md

Tags

cve@mitre.org
CWE-924
2024-10-11
CVE-2024-44730

CVSS Score

9.1 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

    View Vector String

Timeline

Published: Oct. 11, 2024, 4:15 p.m.
Last Modified: Oct. 16, 2024, 7:35 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cve@mitre.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.