CVE-2024-31206
8.2
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Exploitability: 3.9 / Impact: 4.2
Source: security-advisories@github.com (Secondary)
Description
dectalk-tts is a Node package to interact with the aeiou Dectalk web API. In `dectalk-tts@1.0.0`, network requests to the third-party API are sent over HTTP, which is unencrypted. Unencrypted traffic can be easily intercepted and modified by attackers. Anyone who uses the package could be the victim of a man-in-the-middle (MITM) attack. The network request was upgraded to HTTPS in version `1.0.1`. There are no workarounds, but some precautions include not sending any sensitive information and carefully verifying the API response before saving it.
Related CWEs
CWE-300
Channel Accessible by Non-Endpoint
The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.
CWE-319
Cleartext Transmission of Sensitive Information
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
CWE-598
Use of GET Request Method With Sensitive Query Strings
The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.
References (10)
Source: security-advisories@github.com
Source: security-advisories@github.com
Source: security-advisories@github.com
Source: security-advisories@github.com
Source: security-advisories@github.com
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Timeline
No history available yet.