CVE-2024-49379

MEDIUM

Umbrel <1.2.2 - XSS

Title source: llm

Description

Umbrel is a home server OS for self-hosting. The login functionality of Umbrel before version 1.2.2 contains a reflected cross-site scripting (XSS) vulnerability in use-auth.tsx. An attacker can specify a malicious redirect query parameter to trigger the vulnerability. If a JavaScript URL is passed to the redirect parameter the attacker provided JavaScript will be executed after the user entered their password and clicked on login. This vulnerability is fixed in 1.2.2.

Exploits (1)

nomisec WORKING POC 1 stars

by OHDUDEOKNICE · poc

https://github.com/OHDUDEOKNICE/CVE-2024-49379

View Code ZIP pw:eip

References (3)

[Various Sources] https://securitylab.github.com/advisories/GHSL-2024-164_Umbrel/

[Patch] https://github.com/getumbrel/umbrel/commit/b83e3542650880bf1439419d00bf82285a7d2b22

[Release Notes] https://github.com/getumbrel/umbrel/releases/tag/1.2.2

Scores

CVSS v4 5.3

EPSS 0.0655

EPSS Percentile 91.2%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

getumbrel/umbrel < 1.2.2

Published Nov 13, 2024

Tracked Since Feb 18, 2026