CVE-2024-51492

01.11.2024, 17:15

Zusam is a free and open-source way to self-host private forums. Prior to version 0.5.6, specially crafted SVG files uploaded to the service as images allow for unrestricted script execution on (raw) image load. With certain payloads, theft of the target users long-lived session token is possible. Note that Zusam, at the time of writing, uses a users static API key as a long-lived session token, and these terms can be used interchangeably on the platform. This session token/API key remains valid indefinitely, so long as the user doesnt expressly request a new one via their Settings page. Version 0.5.6 fixes the cross-site scripting vulnerability.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
GitHub_M	CNA	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
CISA-ADP	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 29%

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://github.com/zusam/zusam/commit/5930fdf86fa4abed01f0b345c8ec3c443656db9a

https://github.com/zusam/zusam/releases/tag/0.5.6

https://github.com/zusam/zusam/security/advisories/GHSA-96fx-5rqv-jfxh

https://pfeister.dev/CVE-2024-51492