CVE-2024-27092 - Vulnerability Details - OpenCVE

Hoppscotch is an API development ecosystem. Due to lack of validation for fields like Label (Edit Team) - TeamName, bad actors can send emails with Spoofed Content as Hoppscotch. Part of payload (external link) is presented in clickable form - easier to achieve own goals by malicious actors. This issue is fixed in 2023.12.6.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Hoppscotch	Hoppscotch

Configuration 1 [-]

cpe:2.3:a:hoppscotch:hoppscotch:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/hoppscotch/hoppscotch/blob/main/packages/hoppscotch-backend/src/team-invitation/team-invitation.service.ts#L153
https://github.com/hoppscotch/hoppscotch/commit/6827e97ec583b2534cdc1c2f33fa44973a0c2bf5
https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-8r6h-8r68-q3pp

History

Tue, 01 Apr 2025 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Hoppscotch Hoppscotch hoppscotch
CPEs		cpe:2.3:a:hoppscotch:hoppscotch::::::::
Vendors & Products		Hoppscotch Hoppscotch hoppscotch

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-02-26T19:40:57.427Z

Updated: 2024-08-02T00:27:57.835Z

Reserved: 2024-02-19T14:43:05.993Z

Link: CVE-2024-27092

Vulnrichment

Updated: 2024-08-02T00:27:57.835Z

NVD

Status : Analyzed

Published: 2024-02-29T01:44:19.610

Modified: 2025-04-01T15:22:06.423

Link: CVE-2024-27092

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-27092", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-02-19T14:43:05.993Z", "datePublished": "2024-02-26T19:40:57.427Z", "dateUpdated": "2024-08-02T00:27:57.835Z"}, "containers": {"cna": {"title": "Content spoofing - real Hoppscotch emails", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-8r6h-8r68-q3pp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-8r6h-8r68-q3pp"}, {"name": "https://github.com/hoppscotch/hoppscotch/commit/6827e97ec583b2534cdc1c2f33fa44973a0c2bf5", "tags": ["x_refsource_MISC"], "url": "https://github.com/hoppscotch/hoppscotch/commit/6827e97ec583b2534cdc1c2f33fa44973a0c2bf5"}, {"name": "https://github.com/hoppscotch/hoppscotch/blob/main/packages/hoppscotch-backend/src/team-invitation/team-invitation.service.ts#L153", "tags": ["x_refsource_MISC"], "url": "https://github.com/hoppscotch/hoppscotch/blob/main/packages/hoppscotch-backend/src/team-invitation/team-invitation.service.ts#L153"}], "affected": [{"vendor": "hoppscotch", "product": "hoppscotch", "versions": [{"version": "< 2023.12.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-26T19:40:57.427Z"}, "descriptions": [{"lang": "en", "value": "Hoppscotch is an API development ecosystem. Due to lack of validation for fields like Label (Edit Team) - TeamName, bad actors can send emails with Spoofed Content as Hoppscotch. Part of payload (external link) is presented in clickable form - easier to achieve own goals by malicious actors. This issue is fixed in 2023.12.6."}], "source": {"advisory": "GHSA-8r6h-8r68-q3pp", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "hoppscotch", "product": "hoppscotch", "cpes": ["cpe:2.3:a:hoppscotch:hoppscotch:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2023.12.6", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-03-07T16:30:40.545128Z", "id": "CVE-2024-27092", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-25T16:35:18.750Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:27:57.835Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-8r6h-8r68-q3pp", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-8r6h-8r68-q3pp"}, {"name": "https://github.com/hoppscotch/hoppscotch/commit/6827e97ec583b2534cdc1c2f33fa44973a0c2bf5", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/hoppscotch/hoppscotch/commit/6827e97ec583b2534cdc1c2f33fa44973a0c2bf5"}, {"name": "https://github.com/hoppscotch/hoppscotch/blob/main/packages/hoppscotch-backend/src/team-invitation/team-invitation.service.ts#L153", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/hoppscotch/hoppscotch/blob/main/packages/hoppscotch-backend/src/team-invitation/team-invitation.service.ts#L153"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-8r6h-8r68-q3pp", "name": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-8r6h-8r68-q3pp", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/hoppscotch/hoppscotch/commit/6827e97ec583b2534cdc1c2f33fa44973a0c2bf5", "name": "https://github.com/hoppscotch/hoppscotch/commit/6827e97ec583b2534cdc1c2f33fa44973a0c2bf5", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/hoppscotch/hoppscotch/blob/main/packages/hoppscotch-backend/src/team-invitation/team-invitation.service.ts#L153", "name": "https://github.com/hoppscotch/hoppscotch/blob/main/packages/hoppscotch-backend/src/team-invitation/team-invitation.service.ts#L153", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:27:57.835Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-27092", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-07T16:30:40.545128Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:hoppscotch:hoppscotch:*:*:*:*:*:*:*:*"], "vendor": "hoppscotch", "product": "hoppscotch", "versions": [{"status": "affected", "version": "0", "lessThan": "2023.12.6", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-25T16:35:14.163Z"}}], "cna": {"title": "Content spoofing - real Hoppscotch emails", "source": {"advisory": "GHSA-8r6h-8r68-q3pp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "hoppscotch", "product": "hoppscotch", "versions": [{"status": "affected", "version": "< 2023.12.6"}]}], "references": [{"url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-8r6h-8r68-q3pp", "name": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-8r6h-8r68-q3pp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/hoppscotch/hoppscotch/commit/6827e97ec583b2534cdc1c2f33fa44973a0c2bf5", "name": "https://github.com/hoppscotch/hoppscotch/commit/6827e97ec583b2534cdc1c2f33fa44973a0c2bf5", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/hoppscotch/hoppscotch/blob/main/packages/hoppscotch-backend/src/team-invitation/team-invitation.service.ts#L153", "name": "https://github.com/hoppscotch/hoppscotch/blob/main/packages/hoppscotch-backend/src/team-invitation/team-invitation.service.ts#L153", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Hoppscotch is an API development ecosystem. Due to lack of validation for fields like Label (Edit Team) - TeamName, bad actors can send emails with Spoofed Content as Hoppscotch. Part of payload (external link) is presented in clickable form - easier to achieve own goals by malicious actors. This issue is fixed in 2023.12.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-26T19:40:57.427Z"}}}, "cveMetadata": {"cveId": "CVE-2024-27092", "state": "PUBLISHED", "dateUpdated": "2024-08-02T00:27:57.835Z", "dateReserved": "2024-02-19T14:43:05.993Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-02-26T19:40:57.427Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hoppscotch:hoppscotch:*:*:*:*:*:*:*:*", "matchCriteriaId": "937A07DD-740B-44D8-8C26-6076CB930FF1", "versionEndExcluding": "2023.12.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Hoppscotch is an API development ecosystem. Due to lack of validation for fields like Label (Edit Team) - TeamName, bad actors can send emails with Spoofed Content as Hoppscotch. Part of payload (external link) is presented in clickable form - easier to achieve own goals by malicious actors. This issue is fixed in 2023.12.6."}, {"lang": "es", "value": "Hoppscotch es un ecosistema de desarrollo de API. Debido a la falta de validaci\u00f3n de campos como Etiqueta (Editar equipo) - Nombre del equipo, los delincuentes pueden enviar correos electr\u00f3nicos con contenido falsificado como Rayuela. Parte de el payload (enlace externo) se presenta en un formato en el que se puede hacer clic, lo que facilita que los actores malintencionados alcancen sus propios objetivos. Este problema se solucion\u00f3 en 2023.12.6."}], "id": "CVE-2024-27092", "lastModified": "2025-04-01T15:22:06.423", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-29T01:44:19.610", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/hoppscotch/hoppscotch/blob/main/packages/hoppscotch-backend/src/team-invitation/team-invitation.service.ts#L153"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/hoppscotch/hoppscotch/commit/6827e97ec583b2534cdc1c2f33fa44973a0c2bf5"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-8r6h-8r68-q3pp"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://github.com/hoppscotch/hoppscotch/blob/main/packages/hoppscotch-backend/src/team-invitation/team-invitation.service.ts#L153"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/hoppscotch/hoppscotch/commit/6827e97ec583b2534cdc1c2f33fa44973a0c2bf5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-8r6h-8r68-q3pp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}