CVE-2024-55500 — Avenwu Whistle Cross-Site Request Forgery (CSRF)

Description

Cross-Site Request Forgery (CSRF) in Avenwu Whistle v.2.9.90 and before allows attackers to perform malicious API calls, resulting in the execution of arbitrary code on the victim's machine.

How to fix CVE-2024-55500

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

npm/whistle—no fix listed

Is CVE-2024-55500 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 2.9.90

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-55500
PATCHgithub.com/avwo/whistle
WEBgithub.com/avwo/whistle/commit/d1b8ca275dc4e453bd2efed392c0fd4b92f73cdf
WEBwww.sonarsource.com/blog/never-underestimate-csrf-why-origin-reflection-is-a-bad-idea