PT-2024-28051 · Hush Line · Hush Line

Lsd-Cat

Published

2024-06-27

Updated

2024-06-28

CVE-2024-38523

CVSS v3.1

7.5

High

Vector

AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Hush Line versions prior to 0.10

Description The issue concerns the TOTP authentication flow in Hush Line, which has multiple weaknesses that undermine its one-time nature. Specifically, the lack of 2FA for changing security settings allows an attacker with CSRF or XSS primitives to alter these settings without requiring user interaction or credentials.

Recommendations For versions prior to 0.10, update to version 0.10 to resolve the issue.

Exploit

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

CVE-2024-38523

GHSA-4C38-HHXX-9MHX

Affected Products

Hush Line

PT-2024-28051 · Hush Line · Hush Line

CVE-2024-38523

Weakness Enumeration

Related Identifiers

Affected Products

References · 5