PT-2022-15044 · Unknown · Onionshare

Micahflee

Published

2022-01-18

Updated

2024-06-15

CVE-2022-21692

CVSS v4.0

5.3

Medium

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions OnionShare versions prior to the fixed version

Description OnionShare is an open source tool that lets users securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions, anyone with access to the chat environment can write messages disguised as another chat participant. This issue is due to improper access control, allowing an adversary to impersonate existing chat participants and write messages, but not read the conversation.

Recommendations

Implement proper session handling to prevent unauthorized access to the chat environment.
As a temporary workaround, consider restricting access to the chat environment until a patch is available.
Avoid using the update username function to choose an existing username from the chat until the issue is resolved.
Restrict modification of the chat.js script in the browser's internal debugger to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

CVE-2022-21692

GHSA-GJJ5-998G-V36V

OPENSUSE-SU-2024:11983-1

OPENSUSE-SU-2024:13635-1

PYSEC-2022-43

Affected Products

Onionshare

PT-2022-15044 · Unknown · Onionshare

CVE-2022-21692

Weakness Enumeration

Related Identifiers

Affected Products

References · 29