ByteOS Network

NVD Vulnerability Details :

CVE-2024-49379

Deferred

Source-security-advisories@github.com

Published At-13 Nov, 2024 | 18:15

Updated At-15 Apr, 2026 | 00:35

Umbrel is a home server OS for self-hosting. The login functionality of Umbrel before version 1.2.2 contains a reflected cross-site scripting (XSS) vulnerability in use-auth.tsx. An attacker can specify a malicious redirect query parameter to trigger the vulnerability. If a JavaScript URL is passed to the redirect parameter the attacker provided JavaScript will be executed after the user entered their password and clicked on login. This vulnerability is fixed in 1.2.2.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	5.3	MEDIUM	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Type: Secondary

Version: 4.0

Base score: 5.3

Base severity: MEDIUM

Vector:

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Weaknesses

CWE ID	Type	Source
CWE-79	Secondary	security-advisories@github.com

CWE ID: CWE-79

Type: Secondary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/getumbrel/umbrel/commit/b83e3542650880bf1439419d00bf82285a7d2b22	security-advisories@github.com	N/A
https://github.com/getumbrel/umbrel/releases/tag/1.2.2	security-advisories@github.com	N/A
https://securitylab.github.com/advisories/GHSL-2024-164_Umbrel/	security-advisories@github.com	N/A