CVE-2024-45793

Name of the Vulnerable Software and Affected Versions: Confidant versions prior to 6.6.2

Description: The issue is a cross-site scripting (XSS) vulnerability that affects various API endpoints in Confidant, an open-source secret management service. These endpoints include GET /v1/credentials, GET /v1/credentials/, GET /v1/archive/credentials/, GET /v1/archive/credentials, POST /v1/credentials, PUT /v1/credentials/, PUT /v1/credentials//<to revision>, GET /v1/services, GET /v1/services/, GET /v1/archive/services/, GET /v1/archive/services, PUT /v1/services/, and PUT /v1/services//<to revision>. An attacker needs to be authenticated and have privileges to create new credentials to exploit this vulnerability, which could allow them to show information and run scripts on other users within the same Confidant instance.

Recommendations: For versions prior to 6.6.2, upgrade to version 6.6.2 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints until the upgrade can be applied. Avoid using the affected endpoints for creating or managing credentials and services until the issue is resolved. There are no known workarounds for this vulnerability other than upgrading to the patched version.