Vulnerabilites related to clinical-genomics - scout
Vulnerability from fkie_nvd
Published
2022-05-05 11:15
Modified
2024-11-21 06:41
Severity ?
Summary
Server-Side Request Forgery in scout in GitHub repository clinical-genomics/scout prior to v4.42. An attacker could make the application perform arbitrary requests to fishing steal cookie, request to private area, or lead to xss...
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/clinical-genomics/scout/commit/b0ef15f4737d0c801154c1991b52ff5cab4f5c83 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/352b39da-0f2e-415a-9793-5480cae8bd27 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/clinical-genomics/scout/commit/b0ef15f4737d0c801154c1991b52ff5cab4f5c83 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/352b39da-0f2e-415a-9793-5480cae8bd27 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| clinical-genomics | scout | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:clinical-genomics:scout:*:*:*:*:*:*:*:*",
"matchCriteriaId": "81B0088E-EEFE-4123-87FE-CDE182D1A5B2",
"versionEndExcluding": "4.42",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery in scout in GitHub repository clinical-genomics/scout prior to v4.42. An attacker could make the application perform arbitrary requests to fishing steal cookie, request to private area, or lead to xss..."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Server-Side Request Forgery en scout en el repositorio de GitHub clinical-genomics/scout versiones anteriores a v4.42. Un atacante podr\u00eda hacer que la aplicaci\u00f3n llevara a cabo peticiones arbitrarias para pescar robar la cookie, petici\u00f3n al \u00e1rea privada, o llevar a un ataque de tipo xss..."
}
],
"id": "CVE-2022-1592",
"lastModified": "2024-11-21T06:41:02.100",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.5,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-05T11:15:08.117",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/clinical-genomics/scout/commit/b0ef15f4737d0c801154c1991b52ff5cab4f5c83"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/352b39da-0f2e-415a-9793-5480cae8bd27"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/clinical-genomics/scout/commit/b0ef15f4737d0c801154c1991b52ff5cab4f5c83"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/352b39da-0f2e-415a-9793-5480cae8bd27"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security@huntr.dev",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-09-30 16:15
Modified
2024-11-15 18:03
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Scout is a web-based visualizer for VCF-files. Open redirect vulnerability allows performing phishing attacks on users by redirecting them to malicious page. /login API endpoint is vulnerable to open redirect attack via next parameter due to absence of sanitization logic. Additionally, due to lack of scheme validation, HTTPS Downgrade Attack can be performed on the users. This vulnerability is fixed in 4.89.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| clinical-genomics | scout | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:clinical-genomics:scout:*:*:*:*:*:*:*:*",
"matchCriteriaId": "44ADA126-F97E-4ADC-AE4C-7C54D3375D19",
"versionEndExcluding": "4.89",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Scout is a web-based visualizer for VCF-files. Open redirect vulnerability allows performing phishing attacks on users by redirecting them to malicious page. /login API endpoint is vulnerable to open redirect attack via next parameter due to absence of sanitization logic. Additionally, due to lack of scheme validation, HTTPS Downgrade Attack can be performed on the users. This vulnerability is fixed in 4.89."
},
{
"lang": "es",
"value": "Scout es un visualizador basado en la web para archivos VCF. La vulnerabilidad de redirecci\u00f3n abierta permite realizar ataques de phishing a los usuarios al redirigirlos a una p\u00e1gina maliciosa. El endpoint de la API /login es vulnerable a ataques de redirecci\u00f3n abierta a trav\u00e9s del siguiente par\u00e1metro debido a la ausencia de l\u00f3gica de desinfecci\u00f3n. Adem\u00e1s, debido a la falta de validaci\u00f3n del esquema, se puede realizar un ataque de degradaci\u00f3n de HTTPS a los usuarios. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 4.89."
}
],
"id": "CVE-2024-47530",
"lastModified": "2024-11-15T18:03:06.497",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-09-30T16:15:09.540",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/Clinical-Genomics/scout/commit/50055edfca9a7183b248019af97e1fb0b0065a02"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Clinical-Genomics/scout/security/advisories/GHSA-3x45-2m34-x95v"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-09-30 16:15
Modified
2024-11-15 18:02
Severity ?
4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Summary
Scout is a web-based visualizer for VCF-files. Due to the lack of sanitization in the filename, it is possible bypass intended file extension and make users download malicious files with any extension. With malicious content injected inside the file data and users unknowingly downloading it and opening may lead to the compromise of users' devices or data. This vulnerability is fixed in 4.89.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| clinical-genomics | scout | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:clinical-genomics:scout:*:*:*:*:*:*:*:*",
"matchCriteriaId": "44ADA126-F97E-4ADC-AE4C-7C54D3375D19",
"versionEndExcluding": "4.89",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Scout is a web-based visualizer for VCF-files. Due to the lack of sanitization in the filename, it is possible bypass intended file extension and make users download malicious files with any extension. With malicious content injected inside the file data and users unknowingly downloading it and opening may lead to the compromise of users\u0027 devices or data. This vulnerability is fixed in 4.89."
},
{
"lang": "es",
"value": "Scout es un visualizador web para archivos VCF. Debido a la falta de desinfecci\u00f3n en el nombre de archivo, es posible eludir la extensi\u00f3n de archivo deseada y hacer que los usuarios descarguen archivos maliciosos con cualquier extensi\u00f3n. Si se inyecta contenido malicioso dentro de los datos del archivo y los usuarios lo descargan y abren sin saberlo, es posible que se vean comprometidos los dispositivos o los datos de los usuarios. Esta vulnerabilidad se solucion\u00f3 en la versi\u00f3n 4.89."
}
],
"id": "CVE-2024-47531",
"lastModified": "2024-11-15T18:02:14.250",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-09-30T16:15:09.750",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/Clinical-Genomics/scout/commit/f59e50f8ea596e641da8a0e9c7a33c0696bcbea5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Clinical-Genomics/scout/security/advisories/GHSA-24xv-q29v-3h6r"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-116"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-05-03 09:15
Modified
2024-11-21 06:40
Severity ?
Summary
Path Traversal due to `send_file` call in GitHub repository clinical-genomics/scout prior to 4.52.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/clinical-genomics/scout/commit/952a2e2319af2d95d22b017a561730feac086ff1 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/7acac778-5ba4-4f02-99e2-e4e17a81e600 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/clinical-genomics/scout/commit/952a2e2319af2d95d22b017a561730feac086ff1 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/7acac778-5ba4-4f02-99e2-e4e17a81e600 | Exploit, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| clinical-genomics | scout | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:clinical-genomics:scout:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ED14D69C-EDE1-46DA-85DB-8FAAEC48B060",
"versionEndExcluding": "4.52",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Path Traversal due to `send_file` call in GitHub repository clinical-genomics/scout prior to 4.52."
},
{
"lang": "es",
"value": "Un Salto de Ruta debido a la llamada \"send_file\" en el repositorio de GitHub clinical-genomics/scout versiones anteriores a 4.52"
}
],
"id": "CVE-2022-1554",
"lastModified": "2024-11-21T06:40:57.480",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 4.7,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-03T09:15:08.903",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/clinical-genomics/scout/commit/952a2e2319af2d95d22b017a561730feac086ff1"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/7acac778-5ba4-4f02-99e2-e4e17a81e600"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/clinical-genomics/scout/commit/952a2e2319af2d95d22b017a561730feac086ff1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/7acac778-5ba4-4f02-99e2-e4e17a81e600"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-36"
}
],
"source": "security@huntr.dev",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2022-1554 (GCVE-0-2022-1554)
Vulnerability from cvelistv5
Published
2022-05-03 08:20
Modified
2024-08-03 00:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-36 - Absolute Path Traversal
Summary
Path Traversal due to `send_file` call in GitHub repository clinical-genomics/scout prior to 4.52.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| clinical-genomics | clinical-genomics/scout |
Version: unspecified < 4.52 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:10:02.933Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/7acac778-5ba4-4f02-99e2-e4e17a81e600"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/clinical-genomics/scout/commit/952a2e2319af2d95d22b017a561730feac086ff1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "clinical-genomics/scout",
"vendor": "clinical-genomics",
"versions": [
{
"lessThan": "4.52",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Path Traversal due to `send_file` call in GitHub repository clinical-genomics/scout prior to 4.52."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-36",
"description": "CWE-36 Absolute Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-03T08:20:09",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/7acac778-5ba4-4f02-99e2-e4e17a81e600"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/clinical-genomics/scout/commit/952a2e2319af2d95d22b017a561730feac086ff1"
}
],
"source": {
"advisory": "7acac778-5ba4-4f02-99e2-e4e17a81e600",
"discovery": "EXTERNAL"
},
"title": "Path Traversal due to `send_file` call in clinical-genomics/scout",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1554",
"STATE": "PUBLIC",
"TITLE": "Path Traversal due to `send_file` call in clinical-genomics/scout"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "clinical-genomics/scout",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.52"
}
]
}
}
]
},
"vendor_name": "clinical-genomics"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Path Traversal due to `send_file` call in GitHub repository clinical-genomics/scout prior to 4.52."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-36 Absolute Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/7acac778-5ba4-4f02-99e2-e4e17a81e600",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/7acac778-5ba4-4f02-99e2-e4e17a81e600"
},
{
"name": "https://github.com/clinical-genomics/scout/commit/952a2e2319af2d95d22b017a561730feac086ff1",
"refsource": "MISC",
"url": "https://github.com/clinical-genomics/scout/commit/952a2e2319af2d95d22b017a561730feac086ff1"
}
]
},
"source": {
"advisory": "7acac778-5ba4-4f02-99e2-e4e17a81e600",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1554",
"datePublished": "2022-05-03T08:20:09",
"dateReserved": "2022-05-03T00:00:00",
"dateUpdated": "2024-08-03T00:10:02.933Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47531 (GCVE-0-2024-47531)
Vulnerability from cvelistv5
Published
2024-09-30 15:26
Modified
2024-09-30 16:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Summary
Scout is a web-based visualizer for VCF-files. Due to the lack of sanitization in the filename, it is possible bypass intended file extension and make users download malicious files with any extension. With malicious content injected inside the file data and users unknowingly downloading it and opening may lead to the compromise of users' devices or data. This vulnerability is fixed in 4.89.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Clinical-Genomics | scout |
Version: <= 4.88.1 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:clinical-genomics:scout:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "scout",
"vendor": "clinical-genomics",
"versions": [
{
"lessThanOrEqual": "4.88.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47531",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T16:30:09.440058Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T16:31:07.889Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "scout",
"vendor": "Clinical-Genomics",
"versions": [
{
"status": "affected",
"version": "\u003c= 4.88.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Scout is a web-based visualizer for VCF-files. Due to the lack of sanitization in the filename, it is possible bypass intended file extension and make users download malicious files with any extension. With malicious content injected inside the file data and users unknowingly downloading it and opening may lead to the compromise of users\u0027 devices or data. This vulnerability is fixed in 4.89."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T15:26:49.421Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Clinical-Genomics/scout/security/advisories/GHSA-24xv-q29v-3h6r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Clinical-Genomics/scout/security/advisories/GHSA-24xv-q29v-3h6r"
},
{
"name": "https://github.com/Clinical-Genomics/scout/commit/f59e50f8ea596e641da8a0e9c7a33c0696bcbea5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Clinical-Genomics/scout/commit/f59e50f8ea596e641da8a0e9c7a33c0696bcbea5"
}
],
"source": {
"advisory": "GHSA-24xv-q29v-3h6r",
"discovery": "UNKNOWN"
},
"title": "Scout contains insufficient output escaping of attachment names"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47531",
"datePublished": "2024-09-30T15:26:49.421Z",
"dateReserved": "2024-09-25T21:46:10.929Z",
"dateUpdated": "2024-09-30T16:31:07.889Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47530 (GCVE-0-2024-47530)
Vulnerability from cvelistv5
Published
2024-09-30 15:17
Modified
2024-09-30 15:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Summary
Scout is a web-based visualizer for VCF-files. Open redirect vulnerability allows performing phishing attacks on users by redirecting them to malicious page. /login API endpoint is vulnerable to open redirect attack via next parameter due to absence of sanitization logic. Additionally, due to lack of scheme validation, HTTPS Downgrade Attack can be performed on the users. This vulnerability is fixed in 4.89.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Clinical-Genomics | scout |
Version: < 4.89 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:clinical-genomics:scout:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "scout",
"vendor": "clinical-genomics",
"versions": [
{
"lessThan": "4.89",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47530",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T15:44:10.932306Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T15:45:37.010Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "scout",
"vendor": "Clinical-Genomics",
"versions": [
{
"status": "affected",
"version": "\u003c 4.89"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Scout is a web-based visualizer for VCF-files. Open redirect vulnerability allows performing phishing attacks on users by redirecting them to malicious page. /login API endpoint is vulnerable to open redirect attack via next parameter due to absence of sanitization logic. Additionally, due to lack of scheme validation, HTTPS Downgrade Attack can be performed on the users. This vulnerability is fixed in 4.89."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T15:17:39.731Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Clinical-Genomics/scout/security/advisories/GHSA-3x45-2m34-x95v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Clinical-Genomics/scout/security/advisories/GHSA-3x45-2m34-x95v"
},
{
"name": "https://github.com/Clinical-Genomics/scout/commit/50055edfca9a7183b248019af97e1fb0b0065a02",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Clinical-Genomics/scout/commit/50055edfca9a7183b248019af97e1fb0b0065a02"
}
],
"source": {
"advisory": "GHSA-3x45-2m34-x95v",
"discovery": "UNKNOWN"
},
"title": "Scout contains an Open Redirect on Login via `next`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47530",
"datePublished": "2024-09-30T15:17:39.731Z",
"dateReserved": "2024-09-25T21:46:10.929Z",
"dateUpdated": "2024-09-30T15:45:37.010Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1592 (GCVE-0-2022-1592)
Vulnerability from cvelistv5
Published
2022-05-05 10:20
Modified
2024-08-03 00:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
Server-Side Request Forgery in scout in GitHub repository clinical-genomics/scout prior to v4.42. An attacker could make the application perform arbitrary requests to fishing steal cookie, request to private area, or lead to xss...
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| clinical-genomics | clinical-genomics/scout |
Version: unspecified < v4.42 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:10:03.567Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/352b39da-0f2e-415a-9793-5480cae8bd27"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/clinical-genomics/scout/commit/b0ef15f4737d0c801154c1991b52ff5cab4f5c83"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "clinical-genomics/scout",
"vendor": "clinical-genomics",
"versions": [
{
"lessThan": "v4.42",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery in scout in GitHub repository clinical-genomics/scout prior to v4.42. An attacker could make the application perform arbitrary requests to fishing steal cookie, request to private area, or lead to xss..."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-05T10:20:09",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/352b39da-0f2e-415a-9793-5480cae8bd27"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/clinical-genomics/scout/commit/b0ef15f4737d0c801154c1991b52ff5cab4f5c83"
}
],
"source": {
"advisory": "352b39da-0f2e-415a-9793-5480cae8bd27",
"discovery": "EXTERNAL"
},
"title": "Server-Side Request Forgery in scout in clinical-genomics/scout",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1592",
"STATE": "PUBLIC",
"TITLE": "Server-Side Request Forgery in scout in clinical-genomics/scout"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "clinical-genomics/scout",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "v4.42"
}
]
}
}
]
},
"vendor_name": "clinical-genomics"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Server-Side Request Forgery in scout in GitHub repository clinical-genomics/scout prior to v4.42. An attacker could make the application perform arbitrary requests to fishing steal cookie, request to private area, or lead to xss..."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918 Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/352b39da-0f2e-415a-9793-5480cae8bd27",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/352b39da-0f2e-415a-9793-5480cae8bd27"
},
{
"name": "https://github.com/clinical-genomics/scout/commit/b0ef15f4737d0c801154c1991b52ff5cab4f5c83",
"refsource": "MISC",
"url": "https://github.com/clinical-genomics/scout/commit/b0ef15f4737d0c801154c1991b52ff5cab4f5c83"
}
]
},
"source": {
"advisory": "352b39da-0f2e-415a-9793-5480cae8bd27",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1592",
"datePublished": "2022-05-05T10:20:09",
"dateReserved": "2022-05-05T00:00:00",
"dateUpdated": "2024-08-03T00:10:03.567Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}