CVE-2024-6586
HIGH NUCLEILightdash 0.1024.6-<0.1027.2 - Authenticated Server-Side Request Forgery via Dashboard Export
Title source: llmExploitation Summary
CVE-2024-6586 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
Lightdash version 0.1024.6 allows users with the necessary permissions, such as Administrator or Editor, to create and share dashboards. A dashboard that contains HTML elements which point to a threat actor controlled source can trigger an SSRF request when exported, via a POST request to /api/v1/dashboards//export. The forged request contains the value of the exporting user’s session token. A threat actor could obtain the session token of any user who exports the dashboard. The obtained session token can be used to perform actions as the victim on the application, resulting in session takeover.
Nuclei Templates (1)
Lightdash v0.1024.6 - Server-Side Request Forgery
HIGHVERIFIEDby iamnoooob,rootxharsh,pdresearch
Shodan:
title:"Lightdash"
References (6)
Core 6
Core References
Various Sources
https://github.com/lightdash/lightdash
Various Sources
https://www.cve.org/CVERecord?id=CVE-2024-6586
Issue Tracking
https://github.com/lightdash/lightdash/pull/9295
Scores
CVSS v3
7.3
EPSS
0.0179
EPSS Percentile
75.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-201
Status
published
Products (1)
Lightdash/Lightdash
0.1024.6 - 0.1027.2
Published
Aug 30, 2024
Tracked Since
Feb 18, 2026