{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-47531", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-09-25T21:46:10.929Z", "datePublished": "2024-09-30T15:26:49.421Z", "dateUpdated": "2024-09-30T16:31:07.889Z"}, "containers": {"cna": {"title": "Scout contains insufficient output escaping of attachment names", "problemTypes": [{"descriptions": [{"cweId": "CWE-116", "lang": "en", "description": "CWE-116: Improper Encoding or Escaping of Output", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Clinical-Genomics/scout/security/advisories/GHSA-24xv-q29v-3h6r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Clinical-Genomics/scout/security/advisories/GHSA-24xv-q29v-3h6r"}, {"name": "https://github.com/Clinical-Genomics/scout/commit/f59e50f8ea596e641da8a0e9c7a33c0696bcbea5", "tags": ["x_refsource_MISC"], "url": "https://github.com/Clinical-Genomics/scout/commit/f59e50f8ea596e641da8a0e9c7a33c0696bcbea5"}], "affected": [{"vendor": "Clinical-Genomics", "product": "scout", "versions": [{"version": "<= 4.88.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-30T15:26:49.421Z"}, "descriptions": [{"lang": "en", "value": "Scout is a web-based visualizer for VCF-files. Due to the lack of sanitization in the filename, it is possible bypass intended file extension and make users download malicious files with any extension. With malicious content injected inside the file data and users unknowingly downloading it and opening may lead to the compromise of users' devices or data. This vulnerability is fixed in 4.89."}], "source": {"advisory": "GHSA-24xv-q29v-3h6r", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "clinical-genomics", "product": "scout", "cpes": ["cpe:2.3:a:clinical-genomics:scout:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.88.1", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-30T16:30:09.440058Z", "id": "CVE-2024-47531", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-30T16:31:07.889Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-47531", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-30T16:30:09.440058Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:clinical-genomics:scout:-:*:*:*:*:*:*:*"], "vendor": "clinical-genomics", "product": "scout", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "4.88.1"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-30T16:31:02.300Z"}}], "cna": {"title": "Scout contains insufficient output escaping of attachment names", "source": {"advisory": "GHSA-24xv-q29v-3h6r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "Clinical-Genomics", "product": "scout", "versions": [{"status": "affected", "version": "<= 4.88.1"}]}], "references": [{"url": "https://github.com/Clinical-Genomics/scout/security/advisories/GHSA-24xv-q29v-3h6r", "name": "https://github.com/Clinical-Genomics/scout/security/advisories/GHSA-24xv-q29v-3h6r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Clinical-Genomics/scout/commit/f59e50f8ea596e641da8a0e9c7a33c0696bcbea5", "name": "https://github.com/Clinical-Genomics/scout/commit/f59e50f8ea596e641da8a0e9c7a33c0696bcbea5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Scout is a web-based visualizer for VCF-files. Due to the lack of sanitization in the filename, it is possible bypass intended file extension and make users download malicious files with any extension. With malicious content injected inside the file data and users unknowingly downloading it and opening may lead to the compromise of users' devices or data. This vulnerability is fixed in 4.89."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116: Improper Encoding or Escaping of Output"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-30T15:26:49.421Z"}}}, "cveMetadata": {"cveId": "CVE-2024-47531", "state": "PUBLISHED", "dateUpdated": "2024-09-30T16:31:07.889Z", "dateReserved": "2024-09-25T21:46:10.929Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-09-30T15:26:49.421Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:clinical-genomics:scout:*:*:*:*:*:*:*:*", "matchCriteriaId": "44ADA126-F97E-4ADC-AE4C-7C54D3375D19", "versionEndExcluding": "4.89", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Scout is a web-based visualizer for VCF-files. Due to the lack of sanitization in the filename, it is possible bypass intended file extension and make users download malicious files with any extension. With malicious content injected inside the file data and users unknowingly downloading it and opening may lead to the compromise of users' devices or data. This vulnerability is fixed in 4.89."}, {"lang": "es", "value": "Scout es un visualizador web para archivos VCF. Debido a la falta de desinfecci\u00f3n en el nombre de archivo, es posible eludir la extensi\u00f3n de archivo deseada y hacer que los usuarios descarguen archivos maliciosos con cualquier extensi\u00f3n. Si se inyecta contenido malicioso dentro de los datos del archivo y los usuarios lo descargan y abren sin saberlo, es posible que se vean comprometidos los dispositivos o los datos de los usuarios. Esta vulnerabilidad se solucion\u00f3 en la versi\u00f3n 4.89."}], "id": "CVE-2024-47531", "lastModified": "2024-11-15T18:02:14.250", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-09-30T16:15:09.750", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Clinical-Genomics/scout/commit/f59e50f8ea596e641da8a0e9c7a33c0696bcbea5"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Clinical-Genomics/scout/security/advisories/GHSA-24xv-q29v-3h6r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-116"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{}