CVE-2024-27092

MEDIUM EPSS 44.6%
Published Feb 29, 20242y ago · Modified Jun 17, 20261w ago
5.4 CVSS 3.1
Medium
Find Similar
Published Feb 29, 2024 2y ago
Last Modified Jun 17, 2026 1w ago

Description

Hoppscotch is an API development ecosystem. Due to lack of validation for fields like Label (Edit Team) - TeamName, bad actors can send emails with Spoofed Content as Hoppscotch. Part of payload (external link) is presented in clickable form - easier to achieve own goals by malicious actors. This issue is fixed in 2023.12.6.

CVSS Details

Base Score
5.4
Exploitability
2.3
Impact
2.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
44.6% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-20 Improper Input Validation Validation
CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
hoppscotchhoppscotch* <2023.12.6

References 3

  • github.com https://github.com/hoppscotch/hoppscotch/blob/main/packages/hoppscotch-backend/src/team-invitation/team-invitation.service.ts#L153
    Product
  • github.com https://github.com/hoppscotch/hoppscotch/commit/6827e97ec583b2534cdc1c2f33fa44973a0c2bf5
    Patch
  • github.com https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-8r6h-8r68-q3pp
    ExploitThird Party Advisory

Remediation

  • github.com https://github.com/hoppscotch/hoppscotch/commit/6827e97ec583b2534cdc1c2f33fa44973a0c2bf5
    Patch