CVE-2024-52286

{"id": "CVE-2024-52286", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 2.0, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "LOW", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "LOW", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-11-11T20:15:19.867", "references": [{"url": "https://github.com/Stirling-Tools/Stirling-PDF/commit/404e31468ec98413f1906cc7ee3d49091638c693", "source": "security-advisories@github.com"}, {"url": "https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-9j55-gvf2-cqwv", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. In affected versions the Merge functionality takes untrusted user input (file name) and uses it directly in the creation of HTML pages allowing any unauthenticated to execute JavaScript code in the context of the user. The issue stems to the code starting at `Line 24` in `src/main/resources/static/js/merge.js`. The file name is directly being input into InnerHTML with no sanitization on the file name, allowing a malicious user to be able to upload files with names containing HTML tags. As HTML tags can include JavaScript code, this can be used to execute JavaScript code in the context of the user. This is a self-injection style attack and relies on a user uploading the malicious file themselves and it impact only them, not other users. A user might be social engineered into running this to launch a phishing attack. Nevertheless, this breaks the expected security restrictions in place by the application. This issue has been addressed in version 0.32.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Stirling-PDF es una aplicaci\u00f3n web alojada localmente que permite realizar varias operaciones en archivos PDF. En las versiones afectadas, la funci\u00f3n Merge toma la entrada de usuario no confiable (nombre de archivo) y la usa directamente en la creaci\u00f3n de p\u00e1ginas HTML, lo que permite que cualquier usuario no autenticado ejecute c\u00f3digo JavaScript en el contexto del usuario. El problema se origina en el c\u00f3digo que comienza en la `L\u00ednea 24` en `src/main/resources/static/js/merge.js`. El nombre del archivo se ingresa directamente en InnerHTML sin sanitizar el nombre del archivo, lo que permite que un usuario malintencionado pueda cargar archivos con nombres que contengan etiquetas HTML. Como las etiquetas HTML pueden incluir c\u00f3digo JavaScript, esto se puede usar para ejecutar c\u00f3digo JavaScript en el contexto del usuario. Este es un ataque de estilo de autoinyecci\u00f3n y se basa en que un usuario cargue el archivo malicioso por s\u00ed mismo y solo lo afecta a \u00e9l, no a otros usuarios. Se puede inducir a un usuario a ejecutar esto para lanzar un ataque de phishing. Sin embargo, esto rompe las restricciones de seguridad esperadas establecidas por la aplicaci\u00f3n. Este problema se ha solucionado en la versi\u00f3n 0.32.0 y se recomienda a todos los usuarios que actualicen la versi\u00f3n. No existen workarounds conocidas para esta vulnerabilidad."}], "lastModified": "2024-11-12T13:55:21.227", "sourceIdentifier": "security-advisories@github.com"}