Clinical-Genomics scout up to 4.88 VCF File /login Next redirect

Summaryinfo

A vulnerability identified as critical has been detected in Clinical-Genomics scout up to 4.88. This vulnerability affects unknown code of the file /login of the component VCF File Handler. This manipulation of the argument Next causes redirect. This vulnerability is registered as CVE-2024-47530. Remote exploitation of the attack is possible. No exploit is available. You should upgrade the affected component.

Detailsinfo

A vulnerability classified as critical was found in Clinical-Genomics scout up to 4.88. Affected by this vulnerability is some unknown functionality of the file /login of the component VCF File Handler. The manipulation of the argument next with an unknown input leads to a redirect vulnerability. The CWE definition for the vulnerability is CWE-601. A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

Scout is a web-based visualizer for VCF-files. Open redirect vulnerability allows performing phishing attacks on users by redirecting them to malicious page. /login API endpoint is vulnerable to open redirect attack via next parameter due to absence of sanitization logic. Additionally, due to lack of scheme validation, HTTPS Downgrade Attack can be performed on the users. This vulnerability is fixed in 4.89.

It is possible to read the advisory at github.com. This vulnerability is known as CVE-2024-47530 since 09/25/2024. The exploitation appears to be easy. The attack can be launched remotely. The exploitation doesn't need any form of authentication. It demands that the victim is doing some kind of user interaction. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1204.001 according to MITRE ATT&CK.

The vulnerability scanner Nessus provides a plugin with the ID 213692 (SUSE SLED15 / SLES15 / openSUSE 15 Security Update : gstreamer-plugins-good (SUSE-SU-2025:0055-1)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 4.89 eliminates this vulnerability. Applying the patch 50055edfca9a7183b248019af97e1fb0b0065a02 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at Tenable (213692). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Vendor

• Clinical-Genomics

Name

• scout

Version

• 4.0
• 4.1
• 4.2
• 4.3
• 4.4
• 4.5
• 4.6
• 4.7
• 4.8
• 4.9
• 4.10
• 4.11
• 4.12
• 4.13
• 4.14
• 4.15
• 4.16
• 4.17
• 4.18
• 4.19
• 4.20
• 4.21
• 4.22
• 4.23
• 4.24
• 4.25
• 4.26
• 4.27
• 4.28
• 4.29
• 4.30
• 4.31
• 4.32
• 4.33
• 4.34
• 4.35
• 4.36
• 4.37
• 4.38
• 4.39
• 4.40
• 4.41
• 4.42
• 4.43
• 4.44
• 4.45
• 4.46
• 4.47
• 4.48
• 4.49
• 4.50
• 4.51
• 4.52
• 4.53
• 4.54
• 4.55
• 4.56
• 4.57
• 4.58
• 4.59
• 4.60
• 4.61
• 4.62
• 4.63
• 4.64
• 4.65
• 4.66
• 4.67
• 4.68
• 4.69
• 4.70
• 4.71
• 4.72
• 4.73
• 4.74
• 4.75
• 4.76
• 4.77
• 4.78
• 4.79
• 4.80
• 4.81
• 4.82
• 4.83
• 4.84
• 4.85
• 4.86
• 4.87
• 4.88

License

• open-source

Website

• Product: https://github.com/Clinical-Genomics/scout/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion