How severe is CVE-2024-50347?

This vulnerability has a severity rating of MEDIUM with a CVSS score of N/A out of 10.

What type of vulnerability is CVE-2024-50347?

This is classified as CWE-347, which is a common weakness in software security.

CVE-2024-50347 - MEDIUM Severity | CVSS N/A

Vulnerability Description

Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. Prior to 1.4.0, there is an issue where verification signatures for requests sent to Reverb's Pusher-compatible API were not being verified. This API is used in scenarios such as broadcasting a message from a backend service or for obtaining statistical information (such as number of connections) about a given channel. This issue only affects the Pusher-compatible API endpoints and not the WebSocket connections themselves. In order to exploit this vulnerability, the application ID which, should never be exposed, would need to be known by an attacker. This vulnerability is fixed in 1.4.0.

Related Vulnerabilities

CVE-2020-2021

CRITICAL

CVSS:10.0(Critical)

When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS ...

CWE-3472020

CVE-2023-25574

CRITICAL

CVSS:10.0(Critical)

`jupyterhub-ltiauthenticator` is a JupyterHub authenticator for learning tools interoperability (LTI). LTI13Authenticator that was introduced in `jupyterhub-ltiauthenticator` 1.3.0 wasn't validating J...

CWE-3472023

CVE-2024-32962

CRITICAL

CVSS:10.0(Critical)

xml-crypto is an xml digital signature and encryption library for Node.js. In affected versions the default configuration does not check authorization of the signer, it only checks the validity of the...

CWE-3472024

CVE-2022-26510

CRITICAL

CVSS:9.9(Critical)

A firmware update vulnerability exists in the iburn firmware checks functionality of InHand Networks InRouter302 V3.5.37. A specially-crafted HTTP request can lead to firmware update. An attacker can ...

CWE-3472022

CVE-2014-3585

CRITICAL

CVSS:9.8(Critical)

redhat-upgrade-tool: Does not check GPG signatures when upgrading versions

CWE-3472014

CVE-2016-20021

CRITICAL

CVSS:9.8(Critical)

In Gentoo Portage before 3.0.47, there is missing PGP validation of executed code: the standalone emerge-webrsync downloads a .gpgsig file but does not perform signature verification. Unless emerge-we...

CWE-3472016