ByteOS Network

Vulnerability Details :

CVE-2024-52270

Assigner-VULSec

Assigner Org ID-2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe

Published At-05 Dec, 2024 | 10:55

Updated At-05 Dec, 2024 | 16:52

PDF Document Spoofing in DropBox Sign(HelloSign)

User Interface (UI) Misrepresentation of Critical Information vulnerability in DropBox Sign(HelloSign) allows Content Spoofing. Displayed version does not show the layer flattened version, once download, If printed (e.g. via Google Chrome -> Examine the print preview): Will render the vulnerability only, not all layers are flattened. This issue affects DropBox Sign(HelloSign): through 2024-12-04.

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:VULSec

Assigner Org ID:2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe

Published At:05 Dec, 2024 | 10:55

Updated At:05 Dec, 2024 | 16:52

▼CVE Numbering Authority (CNA)

PDF Document Spoofing in DropBox Sign(HelloSign)

Affected Products

Vendor

DropBox(HelloSign)

Product

DropBox Sign

Default Status

affected

Versions

Affected

From 0 through 2024-12-04 (git)

Problem Types

Type	CWE ID	Description
CWE	CWE-451	CWE-451 User Interface (UI) Misrepresentation of Critical Information

Type: CWE

CWE ID: CWE-451

Description: CWE-451 User Interface (UI) Misrepresentation of Critical Information

Metrics

Version	Base score	Base severity	Vector
4.0	8.2	HIGH	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/AU:Y/U:Red

Version: 4.0

Base score: 8.2

Base severity: HIGH

Vector:

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/AU:Y/U:Red

Metrics Other Info

Impacts

CAPEC ID	Description
CAPEC-148	CAPEC-148 Content Spoofing

CAPEC ID: CAPEC-148

Description: CAPEC-148 Content Spoofing

Workarounds

* If other party initiated e-signing - Download the PDF file for a security professionals/educated persons inspection * If possible - Download the PDF file and perform full flattening (of the entire document, not just form fields)

Exploits

Known, potentially in use (e.g., spear phishing)

Credits

finder

Erez Kalman

References

Hyperlink	Resource
https://www.vulsec.org/advisories	vdb-entry
https://www.loom.com/share/48f63594e14c49e19840ad9cb7d60453?sid=816c6afa-0b67-4b0b-98ff-d5c58d464038	exploit
https://new.space/s/ZuHoujvkjdzfY7Uihah7Yg#SKWLU_g2Cihfj4qsq9XNy6F4saxVAzD876PujiDOYfs	exploit
https://drive.proton.me/urls/Z6DHXNRZQC#jkfO38rjOiOj	exploit
https://sign.dropbox.com/	product
https://app.hellosign.com/	product

Hyperlink: https://www.vulsec.org/advisories

Resource:

vdb-entry

Hyperlink: https://www.loom.com/share/48f63594e14c49e19840ad9cb7d60453?sid=816c6afa-0b67-4b0b-98ff-d5c58d464038

Resource:

exploit

Hyperlink: https://new.space/s/ZuHoujvkjdzfY7Uihah7Yg#SKWLU_g2Cihfj4qsq9XNy6F4saxVAzD876PujiDOYfs

Resource:

exploit

Hyperlink: https://drive.proton.me/urls/Z6DHXNRZQC#jkfO38rjOiOj

Resource:

exploit

Hyperlink: https://sign.dropbox.com/

Resource:

product

Hyperlink: https://app.hellosign.com/

Resource:

product

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Metrics Other Info

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe

Published At:05 Dec, 2024 | 11:15

Updated At:05 Dec, 2024 | 13:15

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	8.2	HIGH	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:Red

Type: Secondary

Version: 4.0

Base score: 8.2

Base severity: HIGH

Vector:

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:Red