cbcvebase.
CVE-2024-6586
published 2024-08-30

CVE-2024-6586: Lightdash version 0.1024.6 allows users with the necessary permissions, such as Administrator or Editor, to create and share dashboards. A dashboard that…

PriorityP351high7.3CVSS 3.1
AVNACLPRLUIRSUCHIHAN
EXPLOIT
EPSS
1.79%
75.5th percentile
Lightdash version 0.1024.6 allows users with the necessary permissions, such as Administrator or Editor, to create and share dashboards. A dashboard that contains HTML elements which point to a threat actor controlled source can trigger an SSRF request when exported, via a POST request to /api/v1/dashboards//export. The forged request contains the value of the exporting user’s session token. A threat actor could obtain the session token of any user who exports the dashboard. The obtained session token can be used to perform actions as the victim on the application, resulting in session takeover.

Affected

1 ranges
VendorProductVersion rangeFixed in
lightdashlightdash>= 0.1024.6 < 0.1027.20.1027.2

Detection & IOCsextracted from sources · hover to see the quote

url/api/v1/login
url/api/v1/org/projects
url/api/v1/projects/{{projectuuid}}/dashboards
url/api/v1/dashboards/{{dashuuid}}
url/api/v1/dashboards/{{dashuuid}}/export
cookieconnect.sid
command{"queryFilters":"","gridWidth":1400}
  • Monitor for POST requests to /api/v1/dashboards/<uuid>/export — this is the trigger endpoint for the SSRF. Outbound HTTP requests originating from the Lightdash server to external/attacker-controlled domains immediately after an export call indicate exploitation.
  • Detect exfiltration of the session cookie by monitoring outbound HTTP requests from the Lightdash server that contain the string 'connect.sid=' in the request URI or headers — this indicates the session token is being leaked to an external host.
  • Alert on PATCH requests to /api/v1/dashboards/<uuid> that include markdown tile content with embedded HTML elements (e.g., <frame>, <img> tags) pointing to external domains — this is the dashboard poisoning step prior to export.
  • Use an out-of-band (OAST/interactsh) canary to detect exploitation: if an HTTP callback is received from the Lightdash server containing 'connect.sid=' after a dashboard export, the instance is vulnerable and actively being exploited.
  • ·Exploitation requires an authenticated session with at least Editor or Administrator privileges — unauthenticated exploitation is not possible.
  • ·The SSRF is triggered only when a victim user exports the malicious dashboard; the attacker must socially engineer or wait for a privileged user to perform the export action.
  • ·The vulnerability is confirmed in Lightdash version 0.1024.6 specifically; the Nuclei template targets this version and the fix is present in 0.1024.7+.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.