← Voltar para CVEs
CVE-2024-52597
MEDIUM6.1
Descricao
2FAuth is a web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Versions prior to 5.4.1 are vulnerable to stored cross-site scripting due to improper headers in direct access to uploaded SVGs. The application allows uploading images in several places. One of the accepted types of image is SVG, which allows JS scripting. Therefore, by uploading a malicious SVG which contains JS code, an attacker which is able to drive a victim to the uploaded image could compromise that victim's session and access to their tokens. Version 5.4.1 contains a patch for the issue.
Detalhes CVE
Pontuacao CVSS v3.16.1
SeveridadeMEDIUM
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioREQUIRED
Publicado11/20/2024
Ultima modificacao8/4/2025
Fontenvd
Avistamentos honeypot0
Produtos afetados
2fauth:2fauth
Fraquezas (CWE)
CWE-79CWE-80
Referencias
https://github.com/Bubka/2FAuth/commit/93c508e118f483f3c93ac36e1f91face95af642d(security-advisories@github.com)
https://github.com/Bubka/2FAuth/security/advisories/GHSA-q5p4-6q4v-gqg3(security-advisories@github.com)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.