whatsapp-api-js is a TypeScript server agnostic Whatsapp's Official API framework. It's possible to check the payload validation using the WhatsAppAPI.verifyRequestSignature and expect false when the signature is valid. Incorrect Access Control, anyone using the post or verifyRequestSignature methods to handle messages is impacted. This vulnerability is fixed in 4.0.3.
History

Thu, 19 Sep 2024 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Secreto31126
Secreto31126 whatsapp-api-js
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:a:secreto31126:whatsapp-api-js:*:*:*:*:*:node.js:*:*
Vendors & Products Secreto31126
Secreto31126 whatsapp-api-js

Thu, 12 Sep 2024 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 12 Sep 2024 20:00:00 +0000

Type Values Removed Values Added
Description whatsapp-api-js is a TypeScript server agnostic Whatsapp's Official API framework. It's possible to check the payload validation using the WhatsAppAPI.verifyRequestSignature and expect false when the signature is valid. Incorrect Access Control, anyone using the post or verifyRequestSignature methods to handle messages is impacted. This vulnerability is fixed in 4.0.3.
Title whatsapp-api-js fails to validate message's signature
Weaknesses CWE-347
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-09-12T19:58:13.803Z

Updated: 2024-09-12T20:04:46.581Z

Reserved: 2024-09-02T16:00:02.424Z

Link: CVE-2024-45607

cve-icon Vulnrichment

Updated: 2024-09-12T20:04:43.175Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-12T20:15:05.020

Modified: 2024-09-19T02:05:28.707

Link: CVE-2024-45607

cve-icon Redhat

No data.