CVE-2024-52597

MEDIUM EPSS 28.2%
Published Nov 20, 20241y ago · Modified Jun 17, 20261w ago
6.1 CVSS 3.1
Medium
Find Similar
Published Nov 20, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

2FAuth is a web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Versions prior to 5.4.1 are vulnerable to stored cross-site scripting due to improper headers in direct access to uploaded SVGs. The application allows uploading images in several places. One of the accepted types of image is SVG, which allows JS scripting. Therefore, by uploading a malicious SVG which contains JS code, an attacker which is able to drive a victim to the uploaded image could compromise that victim's session and access to their tokens. Version 5.4.1 contains a patch for the issue.

CVSS Details

Base Score
6.1
Exploitability
2.8
Impact
2.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
28.2% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-79 Cross-site Scripting Injection
CWE-80

Affected Products 1

VendorProductVersionRange
2fauth2fauth* <5.4.1

References 2

  • github.com https://github.com/Bubka/2FAuth/commit/93c508e118f483f3c93ac36e1f91face95af642d
    Patch
  • github.com https://github.com/Bubka/2FAuth/security/advisories/GHSA-q5p4-6q4v-gqg3
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/Bubka/2FAuth/commit/93c508e118f483f3c93ac36e1f91face95af642d
    Patch