CVE-2024-51989

Summary

CVE-2024-51989 is a cross-site scripting (XSS) vulnerability affecting versions 1.41.1 through 1.48.0 of the PasswordPusher application. This issue stems from an un-sanitized parameter, allowing attackers to inject malicious JavaScript into the app. Impacted users include those with the login system enabled who self-host the application. Successful exploitation could result in data exposure, session hijacking, or unintended user actions. Attackers would need to lure users into clicking a malicious account confirmation link. An update to version 1.48.1 or later, where input sanitization has been implemented, is the recommended solution. No known workarounds exist for this vulnerability.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.