Home > Vulnerability Database > CVE-2024-6586

Mend.io Vulnerability Database

CVE-2024-6586

Good to know:

Date: August 30, 2024

Lightdash version 0.1024.6 allows users with the necessary permissions, such as Administrator or Editor, to create and share dashboards. A dashboard that contains HTML elements which point to a threat actor controlled source can trigger an SSRF request when exported, via a POST request to /api/v1/dashboards//export. The forged request contains the value of the exporting user’s session token. A threat actor could obtain the session token of any user who exports the dashboard. The obtained session token can be used to perform actions as the victim on the application, resulting in session takeover.

Language: TYPE_SCRIPT

Severity Score

7.3

Related Resources (8)

Url: https://github.com/google/security-research/security/advisories/GHSA-4h7x-6vxh-7hjf

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-6586

Url: https://github.com/lightdash/lightdash/releases/tag/0.1027.2

Url: https://patch-diff.githubusercontent.com/raw/lightdash/lightdash/pull/9295.patch

Url: https://github.com/lightdash/lightdash

Url: https://www.cve.org/CVERecord?id=CVE-2024-6586

Url: https://github.com/lightdash/lightdash/pull/9295

Url: https://www.mend.io/vulnerability-database/CVE-2024-6586

Severity Score

7.3

Weakness Type (CWE)

Insertion of Sensitive Information Into Sent Data

CWE-201

Top Fix

Upgrade Version

Upgrade to version 0.1027.2

Learn More

CVSS v3.1

Base Score:	7.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-6586

Good to know:

Date: August 30, 2024

Language: TYPE_SCRIPT

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?