CVE-2024-34698 - OpenCVE

Link	Providers
https://github.com/freescout-helpdesk/freescout/commit/2614514bc6d6c4ad563202a1c9cae5a97b195cc5
https://github.com/freescout-helpdesk/freescout/security/advisories/GHSA-rx6j-4c33-9h3r

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-34698", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-05-07T13:53:00.131Z", "datePublished": "2024-05-13T15:50:34.498Z", "dateUpdated": "2024-08-02T02:59:21.707Z"}, "containers": {"cna": {"title": "Prototype Pollution in getQueryParam Function (URL Query Parser)", "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/freescout-helpdesk/freescout/security/advisories/GHSA-rx6j-4c33-9h3r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/freescout-helpdesk/freescout/security/advisories/GHSA-rx6j-4c33-9h3r"}, {"name": "https://github.com/freescout-helpdesk/freescout/commit/2614514bc6d6c4ad563202a1c9cae5a97b195cc5", "tags": ["x_refsource_MISC"], "url": "https://github.com/freescout-helpdesk/freescout/commit/2614514bc6d6c4ad563202a1c9cae5a97b195cc5"}], "affected": [{"vendor": "freescout-helpdesk", "product": "freescout", "versions": [{"version": "< 1.8.139", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-13T15:50:34.498Z"}, "descriptions": [{"lang": "en", "value": "FreeScout is a free, self-hosted help desk and shared mailbox. Versions of FreeScout prior to 1.8.139 contain a Prototype Pollution vulnerability in the `/public/js/main.js` source file. The Prototype Pollution arises because the `getQueryParam` Function recursively merges an object containing user-controllable properties into an existing object (For URL Query Parameters Parsing), without first sanitizing the keys. This can allow an attacker to inject a property with a key `__proto__`, along with arbitrarily nested properties. The merge operation assigns the nested properties to the `params` object's prototype instead of the target object itself. As a result, the attacker can pollute the prototype with properties containing harmful values, which are then inherited by user-defined objects and subsequently used by the application dangerously. The vulnerability lets an attacker control properties of objects that would otherwise be inaccessible. If the application subsequently handles an attacker-controlled property in an unsafe way, this can potentially be chained with other vulnerabilities like DOM-based XSS, Open Redirection, Cookie Manipulation, Link Manipulation, HTML Injection, etc. Version 1.8.139 contains a patch for the issue."}], "source": {"advisory": "GHSA-rx6j-4c33-9h3r", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-34698", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-21T18:35:12.548255Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:freescout_helpdesk:freescout:*:*:*:*:*:*:*:*"], "vendor": "freescout_helpdesk", "product": "freescout", "versions": [{"status": "affected", "version": "0", "lessThan": "1.8.139", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:42:25.344Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:59:21.707Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/freescout-helpdesk/freescout/security/advisories/GHSA-rx6j-4c33-9h3r", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/freescout-helpdesk/freescout/security/advisories/GHSA-rx6j-4c33-9h3r"}, {"name": "https://github.com/freescout-helpdesk/freescout/commit/2614514bc6d6c4ad563202a1c9cae5a97b195cc5", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/freescout-helpdesk/freescout/commit/2614514bc6d6c4ad563202a1c9cae5a97b195cc5"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/freescout-helpdesk/freescout/security/advisories/GHSA-rx6j-4c33-9h3r", "name": "https://github.com/freescout-helpdesk/freescout/security/advisories/GHSA-rx6j-4c33-9h3r", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/freescout-helpdesk/freescout/commit/2614514bc6d6c4ad563202a1c9cae5a97b195cc5", "name": "https://github.com/freescout-helpdesk/freescout/commit/2614514bc6d6c4ad563202a1c9cae5a97b195cc5", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:59:21.707Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-34698", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-21T18:35:12.548255Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:freescout_helpdesk:freescout:*:*:*:*:*:*:*:*"], "vendor": "freescout_helpdesk", "product": "freescout", "versions": [{"status": "affected", "version": "0", "lessThan": "1.8.139", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-21T18:35:46.832Z"}}], "cna": {"title": "Prototype Pollution in getQueryParam Function (URL Query Parser)", "source": {"advisory": "GHSA-rx6j-4c33-9h3r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "freescout-helpdesk", "product": "freescout", "versions": [{"status": "affected", "version": "< 1.8.139"}]}], "references": [{"url": "https://github.com/freescout-helpdesk/freescout/security/advisories/GHSA-rx6j-4c33-9h3r", "name": "https://github.com/freescout-helpdesk/freescout/security/advisories/GHSA-rx6j-4c33-9h3r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/freescout-helpdesk/freescout/commit/2614514bc6d6c4ad563202a1c9cae5a97b195cc5", "name": "https://github.com/freescout-helpdesk/freescout/commit/2614514bc6d6c4ad563202a1c9cae5a97b195cc5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FreeScout is a free, self-hosted help desk and shared mailbox. Versions of FreeScout prior to 1.8.139 contain a Prototype Pollution vulnerability in the `/public/js/main.js` source file. The Prototype Pollution arises because the `getQueryParam` Function recursively merges an object containing user-controllable properties into an existing object (For URL Query Parameters Parsing), without first sanitizing the keys. This can allow an attacker to inject a property with a key `__proto__`, along with arbitrarily nested properties. The merge operation assigns the nested properties to the `params` object's prototype instead of the target object itself. As a result, the attacker can pollute the prototype with properties containing harmful values, which are then inherited by user-defined objects and subsequently used by the application dangerously. The vulnerability lets an attacker control properties of objects that would otherwise be inaccessible. If the application subsequently handles an attacker-controlled property in an unsafe way, this can potentially be chained with other vulnerabilities like DOM-based XSS, Open Redirection, Cookie Manipulation, Link Manipulation, HTML Injection, etc. Version 1.8.139 contains a patch for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1321", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-13T15:50:34.498Z"}}}, "cveMetadata": {"cveId": "CVE-2024-34698", "state": "PUBLISHED", "dateUpdated": "2024-08-02T02:59:21.707Z", "dateReserved": "2024-05-07T13:53:00.131Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-05-13T15:50:34.498Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "FreeScout is a free, self-hosted help desk and shared mailbox. Versions of FreeScout prior to 1.8.139 contain a Prototype Pollution vulnerability in the `/public/js/main.js` source file. The Prototype Pollution arises because the `getQueryParam` Function recursively merges an object containing user-controllable properties into an existing object (For URL Query Parameters Parsing), without first sanitizing the keys. This can allow an attacker to inject a property with a key `__proto__`, along with arbitrarily nested properties. The merge operation assigns the nested properties to the `params` object's prototype instead of the target object itself. As a result, the attacker can pollute the prototype with properties containing harmful values, which are then inherited by user-defined objects and subsequently used by the application dangerously. The vulnerability lets an attacker control properties of objects that would otherwise be inaccessible. If the application subsequently handles an attacker-controlled property in an unsafe way, this can potentially be chained with other vulnerabilities like DOM-based XSS, Open Redirection, Cookie Manipulation, Link Manipulation, HTML Injection, etc. Version 1.8.139 contains a patch for the issue."}, {"lang": "es", "value": "FreeScout es un servicio de asistencia gratuito y un buz\u00f3n de correo compartido autohospedado. Las versiones de FreeScout anteriores a la 1.8.139 contienen una vulnerabilidad de contaminaci\u00f3n de prototipo en el archivo fuente `/public/js/main.js`. La contaminaci\u00f3n del prototipo surge porque la funci\u00f3n `getQueryParam` fusiona recursivamente un objeto que contiene propiedades controlables por el usuario en un objeto existente (para el an\u00e1lisis de par\u00e1metros de consulta de URL), sin sanitizar primero las claves. Esto puede permitir a un atacante inyectar una propiedad con una clave `__proto__`, junto con propiedades anidadas arbitrariamente. La operaci\u00f3n de fusi\u00f3n asigna las propiedades anidadas al prototipo del objeto `params` en lugar del propio objeto de destino. Como resultado, el atacante puede contaminar el prototipo con propiedades que contienen valores da\u00f1inos, que luego son heredados por objetos definidos por el usuario y posteriormente utilizados peligrosamente por la aplicaci\u00f3n. La vulnerabilidad permite a un atacante controlar propiedades de objetos que de otro modo ser\u00edan inaccesibles. Si posteriormente la aplicaci\u00f3n maneja una propiedad controlada por un atacante de forma insegura, esto puede potencialmente encadenarse con otras vulnerabilidades como XSS basado en DOM, redirecci\u00f3n abierta, manipulaci\u00f3n de cookies, manipulaci\u00f3n de enlaces, inyecci\u00f3n de HTML, etc. La versi\u00f3n 1.8.139 contiene un parche para el tema."}], "id": "CVE-2024-34698", "lastModified": "2024-05-14T16:12:23.490", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-05-14T15:39:27.840", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/freescout-helpdesk/freescout/commit/2614514bc6d6c4ad563202a1c9cae5a97b195cc5"}, {"source": "security-advisories@github.com", "url": "https://github.com/freescout-helpdesk/freescout/security/advisories/GHSA-rx6j-4c33-9h3r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object