CVE-2024-52597
MEDIUM2fauth < 5.4.1 - Stored Cross-Site Scripting via SVG Upload
Title source: llmDescription
2FAuth is a web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Versions prior to 5.4.1 are vulnerable to stored cross-site scripting due to improper headers in direct access to uploaded SVGs. The application allows uploading images in several places. One of the accepted types of image is SVG, which allows JS scripting. Therefore, by uploading a malicious SVG which contains JS code, an attacker which is able to drive a victim to the uploaded image could compromise that victim's session and access to their tokens. Version 5.4.1 contains a patch for the issue.
References (2)
Core 2
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/Bubka/2FAuth/security/advisories/GHSA-q5p4-6q4v-gqg3
Patch x_refsource_misc
https://github.com/Bubka/2FAuth/commit/93c508e118f483f3c93ac36e1f91face95af642d
Scores
CVSS v3
6.1
EPSS
0.0036
EPSS Percentile
27.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-80
CWE-79
Status
published
Products (1)
2fauth/2fauth
< 5.4.1
Published
Nov 20, 2024
Tracked Since
Feb 18, 2026