Anonymous Tip Line Vulnerability: Lack of 2FA for Changing Security Settings
CVE-2024-38523

7.5HIGH

Key Information:

Vendor: Scidsg
Status: Hushline
Vendor: CVE Published:; 27 June 2024

What is CVE-2024-38523?

The TOTP authentication mechanism in Hush Line, an anonymous-tip-line service developed by SCIDSG, presents several vulnerabilities that compromise its intended security functions. Specifically, the authentication flow does not adequately enforce two-factor authentication (2FA) for altering crucial security settings. This oversight enables potential attackers to exploit Cross-Site Request Forgery (CSRF) or Cross-Site Scripting (XSS) attacks to modify those settings without needing user interaction. The severity of this vulnerability underscores the importance of implementing 2FA in securing authentication processes. The issue has been resolved in version 0.10 of Hush Line.

Affected Version(s)

hushline < 0.1.0

References

https://github.com/scidsg/hushline/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/scidsg/hushline/pull/376

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 27, 2024

Scidsg

What is CVE-2024-38523?

Affected Version(s)

References

CVSS V3.1

Timeline