CVE-2024-41256

Default configurations in the ShareProofVerifier function of filestash v0.4 causes the application to skip the TLS certificate verification process when sending out email verification codes, possibly allowing attackers to access sensitive data via a man-in-the-middle attack.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://gist.github.com/nyxfqq/a6da3fe6128b978ea1aaa5df639d5f98	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:filestash:filestash:*:*:*:*:*:*:*:*

History

15 Aug 2024, 14:27

Type	Values Removed	Values Added
First Time		Filestash filestash Filestash
CWE		CWE-295
CPE		cpe:2.3:a:filestash:filestash::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.9
References	~~() https://gist.github.com/nyxfqq/a6da3fe6128b978ea1aaa5df639d5f98 -~~	() https://gist.github.com/nyxfqq/a6da3fe6128b978ea1aaa5df639d5f98 - Third Party Advisory

01 Aug 2024, 12:42

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-07-31 21:15

Updated : 2025-03-18 18:15

NVD link : CVE-2024-41256

Mitre link : CVE-2024-41256

CVE.ORG link : CVE-2024-41256

JSON object : View

Products Affected

filestash

filestash

CWE

CWE-295

Improper Certificate Validation

{"id": "CVE-2024-41256", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2024-07-31T21:15:18.117", "references": [{"url": "https://gist.github.com/nyxfqq/a6da3fe6128b978ea1aaa5df639d5f98", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-295"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "Default configurations in the ShareProofVerifier function of filestash v0.4 causes the application to skip the TLS certificate verification process when sending out email verification codes, possibly allowing attackers to access sensitive data via a man-in-the-middle attack."}, {"lang": "es", "value": "Las configuraciones predeterminadas en la funci\u00f3n ShareProofVerifier de filestash v0.4 hacen que la aplicaci\u00f3n omita el proceso de verificaci\u00f3n del certificado TLS al enviar c\u00f3digos de verificaci\u00f3n por correo electr\u00f3nico, lo que posiblemente permita a los atacantes acceder a datos confidenciales a trav\u00e9s de un ataque de man-in-the-middle."}], "lastModified": "2025-03-18T18:15:27.097", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:filestash:filestash:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F46510CC-65D9-41B7-885E-42CB8CE49494", "versionEndIncluding": "0.4"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}