CVE-2024-51492

CVSS V2 None CVSS V3 None
Description
Zusam is a free and open-source way to self-host private forums. Prior to version 0.5.6, specially crafted SVG files uploaded to the service as images allow for unrestricted script execution on (raw) image load. With certain payloads, theft of the target user’s long-lived session token is possible. Note that Zusam, at the time of writing, uses a user’s static API key as a long-lived session token, and these terms can be used interchangeably on the platform. This session token/API key remains valid indefinitely, so long as the user doesn’t expressly request a new one via their Settings page. Version 0.5.6 fixes the cross-site scripting vulnerability.
Overview
  • CVE ID
  • CVE-2024-51492
  • Assigner
  • GitHub_M
  • Vulnerability Status
  • PUBLISHED
  • Published Version
  • 2024-11-01T16:22:46.645Z
  • Last Modified Date
  • 2024-11-01T20:18:15.274Z
History
Created Old Value New Value Data Type Notes
2024-11-02 13:08:23 Added to TrackCVE