CVE-2024-47531

Oct. 4, 2024, 1:51 p.m.

4.6
Medium

Description

Scout is a web-based visualizer for VCF-files. Due to the lack of sanitization in the filename, it is possible bypass intended file extension and make users download malicious files with any extension. With malicious content injected inside the file data and users unknowingly downloading it and opening may lead to the compromise of users' devices or data. This vulnerability is fixed in 4.89.

Product(s) Impacted

Product Versions
Scout
  • ['4.0', '4.1', '4.2', '4.3', '4.4', '4.5', '4.6.x-4.88']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-116
Improper Encoding or Escaping of Output
The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

References

https://github.com/Clinical-Genomics/scout/commit/f59e50f8ea596e641da8a0e9c7a33c0696bcbea5
https://github.com/Clinical-Genomics/scout/security/advisories/GHSA-24xv-q29v-3h6r

Tags

security-advisories@github.com
CWE-116
2024-09-30
CVE-2024-47531

CVSS Score

4.6 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: LOW
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

    View Vector String

Timeline

Published: Sept. 30, 2024, 4:15 p.m.
Last Modified: Oct. 4, 2024, 1:51 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.