CVE-2024-47531: 
Homebrew vulnerability analysis and mitigation

Scout, a web-based visualizer for VCF-files, contains a vulnerability (CVE-2024-47531) related to insufficient filename sanitization. The vulnerability was discovered in versions up to 4.88.1 and was fixed in version 4.89. The issue was disclosed on September 30, 2024, allowing attackers to bypass intended file extension restrictions and potentially cause users to download malicious files (GitHub Advisory).

The vulnerability stems from inadequate sanitization of filenames in the panel export functionality. The issue exists in the downloadedpanelname function where filenames are generated and used directly in response headers without proper sanitization. This allows attackers to manipulate the panel name to include malicious extensions, bypassing the intended file format restrictions. The vulnerability has been assigned a CVSS v3.1 score of 4.6 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N (GitHub Advisory).

When exploited, this vulnerability could lead to users unknowingly downloading and opening malicious files with unexpected extensions. Since the files are served from a trusted domain, users may be more likely to trust and open these potentially dangerous files, which could result in device or data compromise (GitHub Advisory).

The vulnerability has been fixed in Scout version 4.89. The fix includes improved filename sanitization and proper handling of file extensions. Organizations using affected versions should upgrade to version 4.89 or later (GitHub Patch).