← Zuruck zu CVEs
CVE-2024-39314
MEDIUM4.7
Beschreibung
toy-blog is a headless content management system implementation. Starting in version 0.4.3 and prior to version 0.5.0, the administrative password was leaked through the command line parameter. The problem was patched in version 0.5.0. As a workaround, pass `--read-bearer-token-from-stdin` to the launch arguments and feed the token from the standard input in version 0.4.14 or later. Earlier versions do not have this workaround.
CVE Details
CVSS v3.1 Bewertung4.7
SchweregradMEDIUM
CVSS VektorCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
AngriffsvektorLOCAL
KomplexitatHIGH
Erforderliche PrivilegienLOW
BenutzerinteraktionNONE
Veroffentlicht7/1/2024
Zuletzt geandert11/21/2024
Quellenvd
Honeypot-Sichtungen0
Schwachen (CWE)
CWE-200CWE-214
Referenzen
https://github.com/KisaragiEffective/toy-blog/commit/4d003e46a944d8f44ea02c63f4beefa4cbe1f4f7(security-advisories@github.com)
https://github.com/KisaragiEffective/toy-blog/security/advisories/GHSA-q8g2-c3x5-gp89(security-advisories@github.com)
https://github.com/KisaragiEffective/toy-blog/commit/4d003e46a944d8f44ea02c63f4beefa4cbe1f4f7(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/KisaragiEffective/toy-blog/security/advisories/GHSA-q8g2-c3x5-gp89(af854a3a-2127-422b-91ae-364da2661108)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.