CVE-2024-47530

Scout is a web-based visualizer for VCF-files. Open redirect vulnerability allows performing phishing attacks on users by redirecting them to malicious page. /login API endpoint is vulnerable to open redirect attack via next parameter due to absence of sanitization logic. Additionally, due to lack of scheme validation, HTTPS Downgrade Attack can be performed on the users. This vulnerability is fixed in 4.89.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/Clinical-Genomics/scout/commit/50055edfca9a7183b248019af97e1fb0b0065a02	Patch
https://github.com/Clinical-Genomics/scout/security/advisories/GHSA-3x45-2m34-x95v	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:clinical-genomics:scout:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-09-30 16:15

Updated : 2024-11-15 18:03

NVD link : CVE-2024-47530

Mitre link : CVE-2024-47530

CVE.ORG link : CVE-2024-47530

JSON object : View

Products Affected

clinical-genomics

scout

CWE

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

{"id": "CVE-2024-47530", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2024-09-30T16:15:09.540", "references": [{"url": "https://github.com/Clinical-Genomics/scout/commit/50055edfca9a7183b248019af97e1fb0b0065a02", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Clinical-Genomics/scout/security/advisories/GHSA-3x45-2m34-x95v", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-601"}]}], "descriptions": [{"lang": "en", "value": "Scout is a web-based visualizer for VCF-files. Open redirect vulnerability allows performing phishing attacks on users by redirecting them to malicious page. /login API endpoint is vulnerable to open redirect attack via next parameter due to absence of sanitization logic. Additionally, due to lack of scheme validation, HTTPS Downgrade Attack can be performed on the users. This vulnerability is fixed in 4.89."}, {"lang": "es", "value": "Scout es un visualizador basado en la web para archivos VCF. La vulnerabilidad de redirecci\u00f3n abierta permite realizar ataques de phishing a los usuarios al redirigirlos a una p\u00e1gina maliciosa. El endpoint de la API /login es vulnerable a ataques de redirecci\u00f3n abierta a trav\u00e9s del siguiente par\u00e1metro debido a la ausencia de l\u00f3gica de desinfecci\u00f3n. Adem\u00e1s, debido a la falta de validaci\u00f3n del esquema, se puede realizar un ataque de degradaci\u00f3n de HTTPS a los usuarios. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 4.89."}], "lastModified": "2024-11-15T18:03:06.497", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:clinical-genomics:scout:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "44ADA126-F97E-4ADC-AE4C-7C54D3375D19", "versionEndExcluding": "4.89"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}