{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-47530", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-09-25T21:46:10.929Z", "datePublished": "2024-09-30T15:17:39.731Z", "dateUpdated": "2024-09-30T15:45:37.010Z"}, "containers": {"cna": {"title": "Scout contains an Open Redirect on Login via `next`", "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "lang": "en", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Clinical-Genomics/scout/security/advisories/GHSA-3x45-2m34-x95v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Clinical-Genomics/scout/security/advisories/GHSA-3x45-2m34-x95v"}, {"name": "https://github.com/Clinical-Genomics/scout/commit/50055edfca9a7183b248019af97e1fb0b0065a02", "tags": ["x_refsource_MISC"], "url": "https://github.com/Clinical-Genomics/scout/commit/50055edfca9a7183b248019af97e1fb0b0065a02"}], "affected": [{"vendor": "Clinical-Genomics", "product": "scout", "versions": [{"version": "< 4.89", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-30T15:17:39.731Z"}, "descriptions": [{"lang": "en", "value": "Scout is a web-based visualizer for VCF-files. Open redirect vulnerability allows performing phishing attacks on users by redirecting them to malicious page. /login API endpoint is vulnerable to open redirect attack via next parameter due to absence of sanitization logic. Additionally, due to lack of scheme validation, HTTPS Downgrade Attack can be performed on the users. This vulnerability is fixed in 4.89."}], "source": {"advisory": "GHSA-3x45-2m34-x95v", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "clinical-genomics", "product": "scout", "cpes": ["cpe:2.3:a:clinical-genomics:scout:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "4.89", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-30T15:44:10.932306Z", "id": "CVE-2024-47530", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-30T15:45:37.010Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-47530", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-30T15:44:10.932306Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:clinical-genomics:scout:-:*:*:*:*:*:*:*"], "vendor": "clinical-genomics", "product": "scout", "versions": [{"status": "affected", "version": "0", "lessThan": "4.89", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-30T15:45:26.143Z"}}], "cna": {"title": "Scout contains an Open Redirect on Login via `next`", "source": {"advisory": "GHSA-3x45-2m34-x95v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "Clinical-Genomics", "product": "scout", "versions": [{"status": "affected", "version": "< 4.89"}]}], "references": [{"url": "https://github.com/Clinical-Genomics/scout/security/advisories/GHSA-3x45-2m34-x95v", "name": "https://github.com/Clinical-Genomics/scout/security/advisories/GHSA-3x45-2m34-x95v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Clinical-Genomics/scout/commit/50055edfca9a7183b248019af97e1fb0b0065a02", "name": "https://github.com/Clinical-Genomics/scout/commit/50055edfca9a7183b248019af97e1fb0b0065a02", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Scout is a web-based visualizer for VCF-files. Open redirect vulnerability allows performing phishing attacks on users by redirecting them to malicious page. /login API endpoint is vulnerable to open redirect attack via next parameter due to absence of sanitization logic. Additionally, due to lack of scheme validation, HTTPS Downgrade Attack can be performed on the users. This vulnerability is fixed in 4.89."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-30T15:17:39.731Z"}}}, "cveMetadata": {"cveId": "CVE-2024-47530", "state": "PUBLISHED", "dateUpdated": "2024-09-30T15:45:37.010Z", "dateReserved": "2024-09-25T21:46:10.929Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-09-30T15:17:39.731Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:clinical-genomics:scout:*:*:*:*:*:*:*:*", "matchCriteriaId": "44ADA126-F97E-4ADC-AE4C-7C54D3375D19", "versionEndExcluding": "4.89", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Scout is a web-based visualizer for VCF-files. Open redirect vulnerability allows performing phishing attacks on users by redirecting them to malicious page. /login API endpoint is vulnerable to open redirect attack via next parameter due to absence of sanitization logic. Additionally, due to lack of scheme validation, HTTPS Downgrade Attack can be performed on the users. This vulnerability is fixed in 4.89."}, {"lang": "es", "value": "Scout es un visualizador basado en la web para archivos VCF. La vulnerabilidad de redirecci\u00f3n abierta permite realizar ataques de phishing a los usuarios al redirigirlos a una p\u00e1gina maliciosa. El endpoint de la API /login es vulnerable a ataques de redirecci\u00f3n abierta a trav\u00e9s del siguiente par\u00e1metro debido a la ausencia de l\u00f3gica de desinfecci\u00f3n. Adem\u00e1s, debido a la falta de validaci\u00f3n del esquema, se puede realizar un ataque de degradaci\u00f3n de HTTPS a los usuarios. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 4.89."}], "id": "CVE-2024-47530", "lastModified": "2024-11-15T18:03:06.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-09-30T16:15:09.540", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Clinical-Genomics/scout/commit/50055edfca9a7183b248019af97e1fb0b0065a02"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Clinical-Genomics/scout/security/advisories/GHSA-3x45-2m34-x95v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{}