CVE-2024-39314

toy-blog administrative token leaked through the command line parameter

Description

toy-blog is a headless content management system implementation. Starting in version 0.4.3 and prior to version 0.5.0, the administrative password was leaked through the command line parameter. The problem was patched in version 0.5.0. As a workaround, pass `--read-bearer-token-from-stdin` to the launch arguments and feed the token from the standard input in version 0.4.14 or later. Earlier versions do not have this workaround.

Category

4.7
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.03%
Affected: KisaragiEffective toy-blog
Published at:
Updated at:

References

Link Tags
https://github.com/KisaragiEffective/toy-blog/security/advisories/GHSA-q8g2-c3x5-gp89
https://github.com/KisaragiEffective/toy-blog/commit/4d003e46a944d8f44ea02c63f4beefa4cbe1f4f7

Frequently Asked Questions

What is the severity of CVE-2024-39314?
CVE-2024-39314 has been scored as a medium severity vulnerability.
How to fix CVE-2024-39314?
To fix CVE-2024-39314, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-39314 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-39314 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-39314?
CVE-2024-39314 affects KisaragiEffective toy-blog.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.