CVE-2024-31206 HIGH

CVE-2024-31206: Use of Unencrypted HTTP Request in dectalk-tts

Vendor Jstnmcbrd
Product dectalk-tts
Weakness CWE-300
Published April 4, 2024
Last update August 26, 2024

CVSS base score

8.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

What the vulnerability does

01Description

dectalk-tts is a Node package to interact with the aeiou Dectalk web API. In `dectalk-tts@1.0.0`, network requests to the third-party API are sent over HTTP, which is unencrypted. Unencrypted traffic can be easily intercepted and modified by attackers. Anyone who uses the package could be the victim of a man-in-the-middle (MITM) attack. The network request was upgraded to HTTPS in version `1.0.1`. There are no workarounds, but some precautions include not sending any sensitive information and carefully verifying the API response before saving it.

Key dates

02Disclosure timeline

April 4, 2024 CVE published
August 26, 2024 Record updated