Description

Lightdash version 0.1024.6 allows users with the necessary permissions, such as Administrator or Editor, to create and share dashboards. A dashboard that contains HTML elements which point to a threat actor controlled source can trigger an SSRF request when exported, via a POST request to /api/v1/dashboards//export. The forged request contains the value of the exporting user’s session token. A threat actor could obtain the session token of any user who exports the dashboard. The obtained session token can be used to perform actions as the victim on the application, resulting in session takeover.

INFO

Published Date :

2024-08-30T22:25:48.431Z

Last Modified :

2024-09-03T14:50:25.611Z

Source :

Mandiant
AFFECTED PRODUCTS

The following products are affected by CVE-2024-6586 vulnerability.

Vendors Products
Lightdash
  • Lightdash
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-6586.

URL Resource
https://github.com/google/security-research/security/advisories/GHSA-4h7x-6vxh-7hjf cve-icon cve-icon
https://github.com/lightdash/lightdash cve-icon cve-icon
https://github.com/lightdash/lightdash/pull/9295 cve-icon cve-icon
https://github.com/lightdash/lightdash/releases/tag/0.1027.2 cve-icon cve-icon
https://patch-diff.githubusercontent.com/raw/lightdash/lightdash/pull/9295.patch cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2024-6586 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact