High severity7.5NVD Advisory· Published Jun 27, 2024· Updated Apr 15, 2026

CVE-2024-38523

Description

Hush Line is a free and open-source, anonymous-tip-line-as-a-service for organizations or individuals. The TOTP authentication flow has multiple issues that weakens its one-time nature. Specifically, the lack of 2FA for changing security settings allows attacker with CSRF or XSS primitives to change such settings without user interaction and credentials are required. This vulnerability has been patched in version 0.10.

Patches

efc0369eadff

https://github.com/scidsg/hushlinevia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/scidsg/hushline/pull/376nvd
github.com/scidsg/hushline/security/advisories/GHSA-4c38-hhxx-9mhxnvd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000