CVE-2024-49379

Name of the Vulnerable Software and Affected Versions Umbrel versions prior to 1.2.2

Description The login functionality of Umbrel contains a reflected cross-site scripting (XSS) vulnerability in use-auth.tsx. An attacker can specify a malicious redirect query parameter to trigger the vulnerability. If a JavaScript URL is passed to the redirect parameter, the attacker-provided JavaScript will be executed after the user enters their password and clicks on login.

Recommendations For versions prior to 1.2.2, update to version 1.2.2 or later to resolve the issue. As a temporary workaround, consider disabling the login functionality until a patch is available. Restrict access to the use-auth.tsx module to minimize the risk of exploitation. Avoid using the redirect parameter in the login functionality until the issue is resolved.