Description

2FAuth is a web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Versions prior to 5.4.1 are vulnerable to stored cross-site scripting due to improper headers in direct access to uploaded SVGs. The application allows uploading images in several places. One of the accepted types of image is SVG, which allows JS scripting. Therefore, by uploading a malicious SVG which contains JS code, an attacker which is able to drive a victim to the uploaded image could compromise that victim's session and access to their tokens. Version 5.4.1 contains a patch for the issue.

INFO

Published Date :

2024-11-20T14:01:37.062Z

Last Modified :

2024-11-20T14:31:57.628Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-52597 vulnerability.

Vendors Products
2fauth
  • 2fauth
Bubka
  • 2fauth
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-52597.

URL Resource
https://github.com/Bubka/2FAuth/commit/93c508e118f483f3c93ac36e1f91face95af642d cve-icon cve-icon
https://github.com/Bubka/2FAuth/security/advisories/GHSA-q5p4-6q4v-gqg3 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact