CVE-2024-52597

2FAuth is a web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Versions prior to 5.4.1 are vulnerable to stored cross-site scripting due to improper headers in direct access to uploaded SVGs. The application allows uploading images in several places. One of the accepted types of image is SVG, which allows JS scripting. Therefore, by uploading a malicious SVG which contains JS code, an attacker which is able to drive a victim to the uploaded image could compromise that victim's session and access to their tokens. Version 5.4.1 contains a patch for the issue.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/Bubka/2FAuth/commit/93c508e118f483f3c93ac36e1f91face95af642d	Patch
https://github.com/Bubka/2FAuth/security/advisories/GHSA-q5p4-6q4v-gqg3	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:2fauth:2fauth:*:*:*:*:*:*:*:*

History

04 Aug 2025, 16:57

Type	Values Removed	Values Added
First Time		2fauth 2fauth 2fauth
CPE		cpe:2.3:a:2fauth:2fauth::::::::
References	~~() https://github.com/Bubka/2FAuth/commit/93c508e118f483f3c93ac36e1f91face95af642d -~~	() https://github.com/Bubka/2FAuth/commit/93c508e118f483f3c93ac36e1f91face95af642d - Patch
References	~~() https://github.com/Bubka/2FAuth/security/advisories/GHSA-q5p4-6q4v-gqg3 -~~	() https://github.com/Bubka/2FAuth/security/advisories/GHSA-q5p4-6q4v-gqg3 - Exploit, Vendor Advisory

Information

Published : 2024-11-20 14:15

Updated : 2025-08-04 16:57

NVD link : CVE-2024-52597

Mitre link : CVE-2024-52597

CVE.ORG link : CVE-2024-52597

JSON object : View

Products Affected

2fauth

2fauth

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

{"id": "CVE-2024-52597", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2024-11-20T14:15:17.967", "references": [{"url": "https://github.com/Bubka/2FAuth/commit/93c508e118f483f3c93ac36e1f91face95af642d", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Bubka/2FAuth/security/advisories/GHSA-q5p4-6q4v-gqg3", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-80"}]}], "descriptions": [{"lang": "en", "value": "2FAuth is a web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Versions prior to 5.4.1 are vulnerable to stored cross-site scripting due to improper headers in direct access to uploaded SVGs. The application allows uploading images in several places. One of the accepted types of image is SVG, which allows JS scripting. Therefore, by uploading a malicious SVG which contains JS code, an attacker which is able to drive a victim to the uploaded image could compromise that victim's session and access to their tokens. Version 5.4.1 contains a patch for the issue."}, {"lang": "es", "value": "2FAuth es una aplicaci\u00f3n web para administrar cuentas de autenticaci\u00f3n de dos factores (2FA) y generar sus c\u00f3digos de seguridad. Las versiones anteriores a la 5.4.1 son vulnerables a cross site scripting almacenado debido a encabezados incorrectos en el acceso directo a los SVG cargados. La aplicaci\u00f3n permite cargar im\u00e1genes en varios lugares. Uno de los tipos de imagen aceptados es el SVG, que permite la creaci\u00f3n de secuencias de comandos JS. Por lo tanto, al cargar un SVG malicioso que contiene c\u00f3digo JS, un atacante que pueda llevar a una v\u00edctima a la imagen cargada podr\u00eda comprometer la sesi\u00f3n de esa v\u00edctima y el acceso a sus tokens. La versi\u00f3n 5.4.1 contiene un parche para el problema."}], "lastModified": "2025-08-04T16:57:38.327", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:2fauth:2fauth:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "93DA0184-91A8-4FB3-ACD4-FA9D13D271FF", "versionEndExcluding": "5.4.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}