Exploit
CVE-2024-47531

Improper Encoding or Escaping of Output (CWE-116)

Published: Sep 30, 2024 / Updated: 50d ago

010
CVSS 3.5EPSS 0.04%Low
CVE info copied to clipboard

Summary

Scout, a web-based visualizer for VCF-files, lacks proper sanitization of filenames. This allows attackers to bypass intended file extension restrictions and make users download malicious files with any extension. When users unknowingly download and open these files containing malicious content, it may lead to the compromise of their devices or data.

Impact

This vulnerability could result in users downloading and executing malicious files, potentially leading to unauthorized access, data theft, or system compromise on the user's device. The attacker could craft files with deceptive extensions, tricking users into opening them and executing malicious code. This could lead to installation of malware, theft of sensitive information, or further system exploitation.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been fixed in Scout version 4.89.

Mitigation

1. Update Scout to version 4.89 or later, which includes the fix for this vulnerability. 2. Implement strict input validation and sanitization for filenames on the server-side. 3. Use content-type headers to ensure files are served with the correct MIME type. 4. Educate users about the risks of downloading and opening files from untrusted sources. 5. Implement additional security measures such as file scanning or sandboxing when handling user-downloadable files. 6. Consider implementing content security policies to restrict the types of content that can be loaded or executed.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Timeline

CVE Assignment

NVD published the first details for CVE-2024-47531

Sep 30, 2024 at 4:15 PM
CVSS

A CVSS base score of 4.6 has been assigned.

Sep 30, 2024 at 4:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-47531. See article

Sep 30, 2024 at 4:21 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Sep 30, 2024 at 4:21 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.6%)

Oct 1, 2024 at 10:17 AM
CVSS

A CVSS base score of 3.5 has been assigned.

Nov 15, 2024 at 6:05 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Nov 15, 2024 at 8:10 PM
Static CVE Timeline Graph

Affected Systems

Clinical-genomics/scout
+null more

Exploits

https://github.com/Clinical-Genomics/scout/security/advisories/GHSA-24xv-q29v-3h6r
+null more

Patches

github.com
+null more

Attack Patterns

CAPEC-104: Cross Zone Scripting
+null more

News

CVE-2024-47531 Exploit
CVE Id : CVE-2024-47531 Published Date: 2024-11-15T18:02:00+00:00 Scout is a web-based visualizer for VCF-files. Due to the lack of sanitization in the filename, it is possible bypass intended file extension and make users download malicious files with any extension. With malicious content injected inside the file data and users unknowingly downloading it and opening may lead to the compromise of users' devices or data. This vulnerability is fixed in 4.89. inTheWild added a link to an exploit: https://github.com/Clinical-Genomics/scout/security/advisories/GHSA-24xv-q29v-3h6r
CVE Alert: CVE-2024-47531 - https://www. redpacketsecurity.com/cve_aler t_cve-2024-47531/ # OSINT # ThreatIntel # CyberSecurity # cve_2024_47531
CVE Alert: CVE-2024-47531
With malicious content injected inside the file data and users unknowingly downloading it and opening may lead to the compromise of users’ devices or data. Everyone that supports the site helps enable new functionality.
CVE-2024-47531
Medium Severity Description Scout is a web-based visualizer for VCF-files. Due to the lack of sanitization in the filename, it is possible bypass intended file extension and make users download malicious files with any extension. With malicious content injected inside the file data and users unknowingly downloading it and opening may lead to the compromise of users' devices or data. This vulnerability is fixed in 4.89. Read more at https://www.tenable.com/cve/CVE-2024-47531
NA - CVE-2024-47531 - Scout is a web-based visualizer for VCF-files....
Scout is a web-based visualizer for VCF-files. Due to the lack of sanitization in the filename, it is possible bypass intended file extension and make users download malicious files with any...
See 7 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:Required
Scope:Unchanged
Confidentiality:None
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI