CVE-2024-45793: 
Python vulnerability analysis and mitigation

Confidant, an open source secret management service, was found to contain a cross-site scripting (XSS) vulnerability in version 6.6.2 and earlier. The vulnerability affects multiple API endpoints including credential and service management endpoints. The vulnerability was discovered and disclosed on September 20, 2024 (GitHub Advisory).

The vulnerability is classified as a stored XSS vulnerability (CWE-79) affecting multiple API endpoints including GET, POST, and PUT operations for credentials and services. The affected endpoints include /v1/credentials, /v1/credentials/, /v1/archive/credentials/, /v1/services, and related paths. The vulnerability has been assigned a CVSS v3.1 score of 4.8 (Medium) with the vector string CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (GitHub Advisory).

The vulnerability allows authenticated users with privileges to create new credentials to inject malicious scripts that can affect other users accessing the same Confidant instance. This can lead to information disclosure and potential script execution in other users' browsers (GitHub Advisory).

The vulnerability has been patched in version 6.6.2. Users are advised to upgrade to this version or later. There are no known workarounds for this vulnerability (GitHub Advisory, FortiGuard Labs).