CVE-2024-38523

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-38523
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-38523.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-38523
Aliases
  • GHSA-4c38-hhxx-9mhx
Published
2024-06-27T19:23:19.488Z
Modified
2026-04-02T12:17:14.343323Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Hush Line OTP issue
Details

Hush Line is a free and open-source, anonymous-tip-line-as-a-service for organizations or individuals. The TOTP authentication flow has multiple issues that weakens its one-time nature. Specifically, the lack of 2FA for changing security settings allows attacker with CSRF or XSS primitives to change such settings without user interaction and credentials are required. This vulnerability has been patched in version 0.10.

Database specific 
{
    "cwe_ids": [
        "CWE-287"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/38xxx/CVE-2024-38523.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/scidsg/hushline

Affected ranges

Type
GIT
Repo
https://github.com/scidsg/hushline
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
efc0369eadff74f68f59c0f636f66d733a893b9d
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.1.0"
        }
    ]
}

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-38523.json"