CVE-2024-55500

HIGH

Avenwu Whistle <= 2.9.90 - Cross-Site Request Forgery

Title source: llm

Description

Cross-Site Request Forgery (CSRF) in Avenwu Whistle v.2.9.90 and before allows attackers to perform malicious API calls, resulting in the execution of arbitrary code on the victim's machine.

References (2)

Core 2

Core References

Various Sources

https://www.sonarsource.com/blog/never-underestimate-csrf-why-origin-reflection-is-a-bad-idea/

Patch

https://github.com/avwo/whistle/commit/d1b8ca275dc4e453bd2efed392c0fd4b92f73cdf

View Patch ZIP pw:eip

Scores

CVSS v3 8.8

EPSS 0.0069

EPSS Percentile 71.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-352

Status published

Products (1)

npm/whistle 0npm

Published Dec 10, 2024

Tracked Since Feb 18, 2026