CVE-2024-51492 (GCVE-0-2024-51492)
Vulnerability from cvelistv5 – Published: 2024-11-01 16:22 – Updated: 2024-11-01 20:18
VLAI?
Title
Zusam vulnerable to stored XSS, allowing token theft via crafted SVG
Summary
Zusam is a free and open-source way to self-host private forums. Prior to version 0.5.6, specially crafted SVG files uploaded to the service as images allow for unrestricted script execution on (raw) image load. With certain payloads, theft of the target user’s long-lived session token is possible. Note that Zusam, at the time of writing, uses a user’s static API key as a long-lived session token, and these terms can be used interchangeably on the platform. This session token/API key remains valid indefinitely, so long as the user doesn’t expressly request a new one via their Settings page. Version 0.5.6 fixes the cross-site scripting vulnerability.
Severity ?
8.8 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/zusam/zusam/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/zusam/zusam/commit/5930fdf86fa… | x_refsource_MISC |
| https://github.com/zusam/zusam/releases/tag/0.5.6 | x_refsource_MISC |
| https://pfeister.dev/CVE-2024-51492 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zusam:zusam:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zusam",
"vendor": "zusam",
"versions": [
{
"lessThan": "0.5.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-51492",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-01T17:26:05.835349Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T17:27:22.183Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zusam",
"vendor": "zusam",
"versions": [
{
"status": "affected",
"version": "\u003c 0.5.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zusam is a free and open-source way to self-host private forums. Prior to version 0.5.6, specially crafted SVG files uploaded to the service as images allow for unrestricted script execution on (raw) image load. With certain payloads, theft of the target user\u2019s long-lived session token is possible. Note that Zusam, at the time of writing, uses a user\u2019s static API key as a long-lived session token, and these terms can be used interchangeably on the platform. This session token/API key remains valid indefinitely, so long as the user doesn\u2019t expressly request a new one via their Settings page. Version 0.5.6 fixes the cross-site scripting vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T20:18:15.274Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zusam/zusam/security/advisories/GHSA-96fx-5rqv-jfxh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zusam/zusam/security/advisories/GHSA-96fx-5rqv-jfxh"
},
{
"name": "https://github.com/zusam/zusam/commit/5930fdf86fa4abed01f0b345c8ec3c443656db9a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zusam/zusam/commit/5930fdf86fa4abed01f0b345c8ec3c443656db9a"
},
{
"name": "https://github.com/zusam/zusam/releases/tag/0.5.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zusam/zusam/releases/tag/0.5.6"
},
{
"name": "https://pfeister.dev/CVE-2024-51492",
"tags": [
"x_refsource_MISC"
],
"url": "https://pfeister.dev/CVE-2024-51492"
}
],
"source": {
"advisory": "GHSA-96fx-5rqv-jfxh",
"discovery": "UNKNOWN"
},
"title": "Zusam vulnerable to stored XSS, allowing token theft via crafted SVG"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-51492",
"datePublished": "2024-11-01T16:22:46.645Z",
"dateReserved": "2024-10-28T14:20:59.337Z",
"dateUpdated": "2024-11-01T20:18:15.274Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2024-51492",
"date": "2026-05-24",
"epss": "0.00317",
"percentile": "0.54872"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-51492\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-11-01T17:15:18.930\",\"lastModified\":\"2024-11-01T21:15:15.080\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Zusam is a free and open-source way to self-host private forums. Prior to version 0.5.6, specially crafted SVG files uploaded to the service as images allow for unrestricted script execution on (raw) image load. With certain payloads, theft of the target user\u2019s long-lived session token is possible. Note that Zusam, at the time of writing, uses a user\u2019s static API key as a long-lived session token, and these terms can be used interchangeably on the platform. This session token/API key remains valid indefinitely, so long as the user doesn\u2019t expressly request a new one via their Settings page. Version 0.5.6 fixes the cross-site scripting vulnerability.\"},{\"lang\":\"es\",\"value\":\"Zusam es una forma gratuita y de c\u00f3digo abierto de alojar foros privados. Antes de la versi\u00f3n 0.5.6, los archivos SVG especialmente manipulados que se sub\u00edan al servicio como im\u00e1genes permit\u00edan la ejecuci\u00f3n sin restricciones de scripts al cargar im\u00e1genes (sin procesar). Con ciertos payloads, es posible el robo del token de sesi\u00f3n de larga duraci\u00f3n del usuario objetivo. Tenga en cuenta que, al momento de escribir este art\u00edculo, Zusam usa la clave API est\u00e1tica de un usuario como token de sesi\u00f3n de larga duraci\u00f3n, y estos t\u00e9rminos se pueden usar indistintamente en la plataforma. Este token de sesi\u00f3n/clave API sigue siendo v\u00e1lido indefinidamente, siempre y cuando el usuario no solicite expresamente uno nuevo a trav\u00e9s de su p\u00e1gina de Configuraci\u00f3n. La versi\u00f3n 0.5.6 corrige la vulnerabilidad de cross site scripting.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":5.3}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/zusam/zusam/commit/5930fdf86fa4abed01f0b345c8ec3c443656db9a\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/zusam/zusam/releases/tag/0.5.6\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/zusam/zusam/security/advisories/GHSA-96fx-5rqv-jfxh\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://pfeister.dev/CVE-2024-51492\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-51492\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-01T17:26:05.835349Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:zusam:zusam:*:*:*:*:*:*:*:*\"], \"vendor\": \"zusam\", \"product\": \"zusam\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"0.5.6\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-01T17:27:18.661Z\"}}], \"cna\": {\"title\": \"Zusam vulnerable to stored XSS, allowing token theft via crafted SVG\", \"source\": {\"advisory\": \"GHSA-96fx-5rqv-jfxh\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"zusam\", \"product\": \"zusam\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.5.6\"}]}], \"references\": [{\"url\": \"https://github.com/zusam/zusam/security/advisories/GHSA-96fx-5rqv-jfxh\", \"name\": \"https://github.com/zusam/zusam/security/advisories/GHSA-96fx-5rqv-jfxh\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/zusam/zusam/commit/5930fdf86fa4abed01f0b345c8ec3c443656db9a\", \"name\": \"https://github.com/zusam/zusam/commit/5930fdf86fa4abed01f0b345c8ec3c443656db9a\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/zusam/zusam/releases/tag/0.5.6\", \"name\": \"https://github.com/zusam/zusam/releases/tag/0.5.6\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://pfeister.dev/CVE-2024-51492\", \"name\": \"https://pfeister.dev/CVE-2024-51492\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Zusam is a free and open-source way to self-host private forums. Prior to version 0.5.6, specially crafted SVG files uploaded to the service as images allow for unrestricted script execution on (raw) image load. With certain payloads, theft of the target user\\u2019s long-lived session token is possible. Note that Zusam, at the time of writing, uses a user\\u2019s static API key as a long-lived session token, and these terms can be used interchangeably on the platform. This session token/API key remains valid indefinitely, so long as the user doesn\\u2019t expressly request a new one via their Settings page. Version 0.5.6 fixes the cross-site scripting vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-11-01T20:18:15.274Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-51492\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-01T20:18:15.274Z\", \"dateReserved\": \"2024-10-28T14:20:59.337Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-11-01T16:22:46.645Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…