Yooooomi your_spotify up to 1.7.x data query logic injection
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.2 | $0-$5k | 0.00 |
Summary
A vulnerability, which was classified as problematic, has been found in Yooooomi your_spotify up to 1.7.x. Impacted is an unknown function. This manipulation causes data query logic injection. The identification of this vulnerability is CVE-2024-28192. It is possible to initiate the attack remotely. There is no exploit available. It is advisable to upgrade the affected component.
Details
A vulnerability classified as problematic was found in Yooooomi your_spotify up to 1.7.x. Affected by this vulnerability is an unknown functionality. The manipulation with an unknown input leads to a data query logic injection vulnerability. The CWE definition for the vulnerability is CWE-943. The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query. As an impact it is known to affect confidentiality. The summary by CVE is:
your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify version <1.8.0 is vulnerable to NoSQL injection in the public access token processing logic. Attackers can fully bypass the public token authentication mechanism, regardless if a public token has been generated before or not, without any user interaction or prerequisite knowledge. This vulnerability allows an attacker to fully bypass the public token authentication mechanism, regardless if a public token has been generated before or not, without any user interaction or prerequisite knowledge. This issue has been addressed in version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
The weakness was shared 03/13/2024. The advisory is shared at github.com. This vulnerability is known as CVE-2024-28192 since 03/06/2024. Neither technical details nor an exploit are publicly available.
Upgrading to version 1.8.0 eliminates this vulnerability.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Product
Vendor
Name
Version
Website
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.3VulDB Meta Temp Score: 5.2
VulDB Base Score: 5.3
VulDB Temp Score: 5.1
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 5.3
NVD Vector: 🔍
CNA Base Score: 5.3
CNA Vector (GitHub, Inc.): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Data query logic injectionCWE: CWE-943 / CWE-20
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: your_spotify 1.8.0
Timeline
03/06/2024 🔍03/13/2024 🔍
03/13/2024 🔍
01/24/2025 🔍
Sources
Product: github.comAdvisory: GHSA-c8wf-wcjc-2pvm
Status: Confirmed
CVE: CVE-2024-28192 (🔍)
GCVE (CVE): GCVE-0-2024-28192
GCVE (VulDB): GCVE-100-256789
Entry
Created: 03/13/2024 21:42Updated: 01/24/2025 16:36
Changes: 03/13/2024 21:42 (47), 04/15/2024 11:04 (15), 04/15/2024 11:10 (1), 01/24/2025 16:36 (11)
Complete: 🔍
Cache ID: 216::103
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
No comments yet. Languages: en.
Please log in to comment.