Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities by opft
CVE-2024-2045 (GCVE-0-2024-2045)
Vulnerability from nvd – Published: 2024-02-29 23:37 – Updated: 2025-05-19 16:56
VLAI
Title
Session 1.17.5 - LFR via chat attachment
Summary
Session version 1.17.5 allows obtaining internal application files and public
files from the user's device without the user's consent. This is possible
because the application is vulnerable to Local File Read via chat attachments.
Severity
5.5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
Impacted products
Date Public
2024-02-29 23:33
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:opft:session:1.17.5:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "session",
"vendor": "opft",
"versions": [
{
"status": "affected",
"version": "1.17.5"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2045",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-06T18:55:34.971070Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T17:52:53.454Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:03:37.761Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/newman/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/oxen-io/session-android/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Session",
"vendor": "Session",
"versions": [
{
"status": "affected",
"version": "1.17.5"
}
]
}
],
"datePublic": "2024-02-29T23:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003eSession version 1.17.5 allows obtaining internal application files and public\u003c/div\u003e\u003cdiv\u003efiles from the user\u0027s device without the user\u0027s consent. This is possible\u003c/div\u003e\u003cdiv\u003ebecause the application is vulnerable to Local File Read via chat attachments.\u003c/div\u003e\u003c/div\u003e\u003cbr\u003e"
}
],
"value": "Session version 1.17.5 allows obtaining internal application files and public\n\nfiles from the user\u0027s device without the user\u0027s consent. This is possible\n\nbecause the application is vulnerable to Local File Read via chat attachments."
}
],
"impacts": [
{
"capecId": "CAPEC-131",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-131 Resource Leak Exposure"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T16:56:56.891Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"url": "https://fluidattacks.com/advisories/newman/"
},
{
"url": "https://github.com/oxen-io/session-android/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Session 1.17.5 - LFR via chat attachment",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2024-2045",
"datePublished": "2024-02-29T23:37:37.339Z",
"dateReserved": "2024-02-29T23:31:27.739Z",
"dateUpdated": "2025-05-19T16:56:56.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1955 (GCVE-0-2022-1955)
Vulnerability from nvd – Published: 2022-06-30 15:17 – Updated: 2024-08-03 00:24
VLAI
Summary
Session 1.13.0 allows an attacker with physical access to the victim's device to bypass the application's password/pin lock to access user data. This is possible due to lack of adequate security controls to prevent dynamic code manipulation.
Severity
No CVSS data available.
CWE
- Improper Access Control
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://fluidattacks.com/advisories/tempest/ | x_refsource_MISC |
| https://github.com/oxen-io/session-android/pull/897 | x_refsource_MISC |
| https://github.com/oxen-io/session-android | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:24:43.755Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/tempest/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/oxen-io/session-android/pull/897"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/oxen-io/session-android"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Session",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "1.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Session 1.13.0 allows an attacker with physical access to the victim\u0027s device to bypass the application\u0027s password/pin lock to access user data. This is possible due to lack of adequate security controls to prevent dynamic code manipulation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Access Control",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-30T15:17:25.000Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://fluidattacks.com/advisories/tempest/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/oxen-io/session-android/pull/897"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/oxen-io/session-android"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "help@fluidattacks.com",
"ID": "CVE-2022-1955",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Session",
"version": {
"version_data": [
{
"version_value": "1.13.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Session 1.13.0 allows an attacker with physical access to the victim\u0027s device to bypass the application\u0027s password/pin lock to access user data. This is possible due to lack of adequate security controls to prevent dynamic code manipulation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://fluidattacks.com/advisories/tempest/",
"refsource": "MISC",
"url": "https://fluidattacks.com/advisories/tempest/"
},
{
"name": "https://github.com/oxen-io/session-android/pull/897",
"refsource": "MISC",
"url": "https://github.com/oxen-io/session-android/pull/897"
},
{
"name": "https://github.com/oxen-io/session-android",
"refsource": "MISC",
"url": "https://github.com/oxen-io/session-android"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2022-1955",
"datePublished": "2022-06-30T15:17:25.000Z",
"dateReserved": "2022-05-31T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:24:43.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2045 (GCVE-0-2024-2045)
Vulnerability from cvelistv5 – Published: 2024-02-29 23:37 – Updated: 2025-05-19 16:56
VLAI
Title
Session 1.17.5 - LFR via chat attachment
Summary
Session version 1.17.5 allows obtaining internal application files and public
files from the user's device without the user's consent. This is possible
because the application is vulnerable to Local File Read via chat attachments.
Severity
5.5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
Impacted products
Date Public
2024-02-29 23:33
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:opft:session:1.17.5:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "session",
"vendor": "opft",
"versions": [
{
"status": "affected",
"version": "1.17.5"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2045",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-06T18:55:34.971070Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T17:52:53.454Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:03:37.761Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/newman/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/oxen-io/session-android/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Session",
"vendor": "Session",
"versions": [
{
"status": "affected",
"version": "1.17.5"
}
]
}
],
"datePublic": "2024-02-29T23:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003eSession version 1.17.5 allows obtaining internal application files and public\u003c/div\u003e\u003cdiv\u003efiles from the user\u0027s device without the user\u0027s consent. This is possible\u003c/div\u003e\u003cdiv\u003ebecause the application is vulnerable to Local File Read via chat attachments.\u003c/div\u003e\u003c/div\u003e\u003cbr\u003e"
}
],
"value": "Session version 1.17.5 allows obtaining internal application files and public\n\nfiles from the user\u0027s device without the user\u0027s consent. This is possible\n\nbecause the application is vulnerable to Local File Read via chat attachments."
}
],
"impacts": [
{
"capecId": "CAPEC-131",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-131 Resource Leak Exposure"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T16:56:56.891Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"url": "https://fluidattacks.com/advisories/newman/"
},
{
"url": "https://github.com/oxen-io/session-android/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Session 1.17.5 - LFR via chat attachment",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2024-2045",
"datePublished": "2024-02-29T23:37:37.339Z",
"dateReserved": "2024-02-29T23:31:27.739Z",
"dateUpdated": "2025-05-19T16:56:56.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1955 (GCVE-0-2022-1955)
Vulnerability from cvelistv5 – Published: 2022-06-30 15:17 – Updated: 2024-08-03 00:24
VLAI
Summary
Session 1.13.0 allows an attacker with physical access to the victim's device to bypass the application's password/pin lock to access user data. This is possible due to lack of adequate security controls to prevent dynamic code manipulation.
Severity
No CVSS data available.
CWE
- Improper Access Control
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://fluidattacks.com/advisories/tempest/ | x_refsource_MISC |
| https://github.com/oxen-io/session-android/pull/897 | x_refsource_MISC |
| https://github.com/oxen-io/session-android | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:24:43.755Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/tempest/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/oxen-io/session-android/pull/897"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/oxen-io/session-android"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Session",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "1.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Session 1.13.0 allows an attacker with physical access to the victim\u0027s device to bypass the application\u0027s password/pin lock to access user data. This is possible due to lack of adequate security controls to prevent dynamic code manipulation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Access Control",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-30T15:17:25.000Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://fluidattacks.com/advisories/tempest/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/oxen-io/session-android/pull/897"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/oxen-io/session-android"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "help@fluidattacks.com",
"ID": "CVE-2022-1955",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Session",
"version": {
"version_data": [
{
"version_value": "1.13.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Session 1.13.0 allows an attacker with physical access to the victim\u0027s device to bypass the application\u0027s password/pin lock to access user data. This is possible due to lack of adequate security controls to prevent dynamic code manipulation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://fluidattacks.com/advisories/tempest/",
"refsource": "MISC",
"url": "https://fluidattacks.com/advisories/tempest/"
},
{
"name": "https://github.com/oxen-io/session-android/pull/897",
"refsource": "MISC",
"url": "https://github.com/oxen-io/session-android/pull/897"
},
{
"name": "https://github.com/oxen-io/session-android",
"refsource": "MISC",
"url": "https://github.com/oxen-io/session-android"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2022-1955",
"datePublished": "2022-06-30T15:17:25.000Z",
"dateReserved": "2022-05-31T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:24:43.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}