{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-34354", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-05-02T06:36:32.438Z", "datePublished": "2024-05-09T14:51:41.627Z", "dateUpdated": "2024-08-02T02:51:09.868Z"}, "containers": {"cna": {"title": "CMSaasStarter: JWT Token Not Verified on Server Session", "problemTypes": [{"descriptions": [{"cweId": "CWE-345", "lang": "en", "description": "CWE-345: Insufficient Verification of Data Authenticity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/CriticalMoments/CMSaasStarter/security/advisories/GHSA-qgcj-9rxf-rw7q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/CriticalMoments/CMSaasStarter/security/advisories/GHSA-qgcj-9rxf-rw7q"}, {"name": "https://github.com/CriticalMoments/CMSaasStarter/pull/65", "tags": ["x_refsource_MISC"], "url": "https://github.com/CriticalMoments/CMSaasStarter/pull/65"}, {"name": "https://github.com/CriticalMoments/CMSaasStarter/commit/7904d416d2c72ec75f42fbf51e9e64fa74062ee6", "tags": ["x_refsource_MISC"], "url": "https://github.com/CriticalMoments/CMSaasStarter/commit/7904d416d2c72ec75f42fbf51e9e64fa74062ee6"}], "affected": [{"vendor": "CriticalMoments", "product": "CMSaasStarter", "versions": [{"version": "< 7904d416d2c72ec75f42fbf51e9e64fa74062ee6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-09T14:51:41.627Z"}, "descriptions": [{"lang": "en", "value": "CMSaaSStarter is a SaaS template/boilerplate built with SvelteKit, Tailwind, and Supabase. Any forks of the CMSaaSStarter template before commit 7904d416d2c72ec75f42fbf51e9e64fa74062ee6 are impacted. The issue is the user JWT Token is not verified on server session. You should take the patch 7904d416d2c72ec75f42fbf51e9e64fa74062ee6 into your fork.\n"}], "source": {"advisory": "GHSA-qgcj-9rxf-rw7q", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "critical_moments", "product": "cmsaasstarter", "cpes": ["cpe:2.3:a:critical_moments:cmsaasstarter:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "7904d416d2c72ec75f42fbf51e9e64fa74062ee6", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-05-09T17:40:56.764814Z", "id": "CVE-2024-34354", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T18:26:01.562Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:51:09.868Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/CriticalMoments/CMSaasStarter/security/advisories/GHSA-qgcj-9rxf-rw7q", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/CriticalMoments/CMSaasStarter/security/advisories/GHSA-qgcj-9rxf-rw7q"}, {"name": "https://github.com/CriticalMoments/CMSaasStarter/pull/65", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/CriticalMoments/CMSaasStarter/pull/65"}, {"name": "https://github.com/CriticalMoments/CMSaasStarter/commit/7904d416d2c72ec75f42fbf51e9e64fa74062ee6", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/CriticalMoments/CMSaasStarter/commit/7904d416d2c72ec75f42fbf51e9e64fa74062ee6"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/CriticalMoments/CMSaasStarter/security/advisories/GHSA-qgcj-9rxf-rw7q", "name": "https://github.com/CriticalMoments/CMSaasStarter/security/advisories/GHSA-qgcj-9rxf-rw7q", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/CriticalMoments/CMSaasStarter/pull/65", "name": "https://github.com/CriticalMoments/CMSaasStarter/pull/65", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/CriticalMoments/CMSaasStarter/commit/7904d416d2c72ec75f42fbf51e9e64fa74062ee6", "name": "https://github.com/CriticalMoments/CMSaasStarter/commit/7904d416d2c72ec75f42fbf51e9e64fa74062ee6", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:51:09.868Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-34354", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-09T17:40:56.764814Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:critical_moments:cmsaasstarter:*:*:*:*:*:*:*:*"], "vendor": "critical_moments", "product": "cmsaasstarter", "versions": [{"status": "affected", "version": "0", "lessThan": "7904d416d2c72ec75f42fbf51e9e64fa74062ee6", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-09T17:43:00.785Z"}}], "cna": {"title": "CMSaasStarter: JWT Token Not Verified on Server Session", "source": {"advisory": "GHSA-qgcj-9rxf-rw7q", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "CriticalMoments", "product": "CMSaasStarter", "versions": [{"status": "affected", "version": "< 7904d416d2c72ec75f42fbf51e9e64fa74062ee6"}]}], "references": [{"url": "https://github.com/CriticalMoments/CMSaasStarter/security/advisories/GHSA-qgcj-9rxf-rw7q", "name": "https://github.com/CriticalMoments/CMSaasStarter/security/advisories/GHSA-qgcj-9rxf-rw7q", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/CriticalMoments/CMSaasStarter/pull/65", "name": "https://github.com/CriticalMoments/CMSaasStarter/pull/65", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/CriticalMoments/CMSaasStarter/commit/7904d416d2c72ec75f42fbf51e9e64fa74062ee6", "name": "https://github.com/CriticalMoments/CMSaasStarter/commit/7904d416d2c72ec75f42fbf51e9e64fa74062ee6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "CMSaaSStarter is a SaaS template/boilerplate built with SvelteKit, Tailwind, and Supabase. Any forks of the CMSaaSStarter template before commit 7904d416d2c72ec75f42fbf51e9e64fa74062ee6 are impacted. The issue is the user JWT Token is not verified on server session. You should take the patch 7904d416d2c72ec75f42fbf51e9e64fa74062ee6 into your fork.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-345", "description": "CWE-345: Insufficient Verification of Data Authenticity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-09T14:51:41.627Z"}}}, "cveMetadata": {"cveId": "CVE-2024-34354", "state": "PUBLISHED", "dateUpdated": "2024-08-02T02:51:09.868Z", "dateReserved": "2024-05-02T06:36:32.438Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-05-09T14:51:41.627Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "CMSaaSStarter is a SaaS template/boilerplate built with SvelteKit, Tailwind, and Supabase. Any forks of the CMSaaSStarter template before commit 7904d416d2c72ec75f42fbf51e9e64fa74062ee6 are impacted. The issue is the user JWT Token is not verified on server session. You should take the patch 7904d416d2c72ec75f42fbf51e9e64fa74062ee6 into your fork.\n"}, {"lang": "es", "value": "CMSaaSStarter es una plantilla/modelo SaaS construida con SvelteKit, Tailwind y Supabase. Cualquier bifurcaci\u00f3n de la plantilla CMSaaSStarter antes de el commit 7904d416d2c72ec75f42fbf51e9e64fa74062ee6 se ver\u00e1 afectada. El problema es que el token JWT del usuario no est\u00e1 verificado en la sesi\u00f3n del servidor. Deber\u00edas llevar el parche 7904d416d2c72ec75f42fbf51e9e64fa74062ee6 a tu bifurcaci\u00f3n."}], "id": "CVE-2024-34354", "lastModified": "2024-05-14T16:12:23.490", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-05-14T15:38:44.480", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/CriticalMoments/CMSaasStarter/commit/7904d416d2c72ec75f42fbf51e9e64fa74062ee6"}, {"source": "security-advisories@github.com", "url": "https://github.com/CriticalMoments/CMSaasStarter/pull/65"}, {"source": "security-advisories@github.com", "url": "https://github.com/CriticalMoments/CMSaasStarter/security/advisories/GHSA-qgcj-9rxf-rw7q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}