PT-2024-28438 · Toy-Blog · Toy-Blog
Kisaragieffective
·
Published
2024-07-01
·
Updated
2024-07-02
·
CVE-2024-39314
CVSS v3.1
4.7
Medium
| Vector | AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
toy-blog versions 0.4.3 through 0.4.14
toy-blog versions prior to 0.4.14
Description
The administrative password is leaked through the command line parameter. This issue was patched in version 0.5.0.
Recommendations
For versions 0.4.14 and later, pass
--read-bearer-token-from-stdin to the launch arguments and feed the token from the standard input as a workaround.
For versions prior to 0.4.14, update to version 0.5.0 to resolve the issue.
For versions 0.4.3 through 0.4.13, update to version 0.5.0 to resolve the issue.Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Toy-Blog