CVE-2022-24781 – CVE-2022-24781 is a session fixation vulnerabil... (How to Fix)

Q: What is the severity of CVE-2022-24781?

CVE-2022-24781 has a CVSS score of 7.1 (HIGH). CVE-2022-24781 is a session fixation vulnerability in the Geon board game that allows malicious users to spoof other users' UUIDs through browser console manipulation. This enables attackers to become co-owners of target game sessions without authorization. All users running Geon versions before 1.1.0 are affected.

📋 TL;DR

CVE-2022-24781 is a session fixation vulnerability in the Geon board game that allows malicious users to spoof other users' UUIDs through browser console manipulation. This enables attackers to become co-owners of target game sessions without authorization. All users running Geon versions before 1.1.0 are affected.

💻 Affected Systems

Products:

Geon board game

Versions: All versions before 1.1.0

Operating Systems: All platforms running Geon web application

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability affects the web-based implementation of Geon where users can access browser developer tools.

📦 What is this software?

Geon by Geon Project

View all CVEs affecting Geon →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full control over game sessions, potentially disrupting gameplay, manipulating game outcomes, or accessing sensitive session data.

🟠

Likely Case

Malicious users disrupt legitimate game sessions by joining as unauthorized co-owners, causing gameplay interference and potential data manipulation.

🟢

If Mitigated

With proper authentication controls, only authorized users can join sessions, maintaining game integrity and user privacy.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable through web browser console, making internet-facing instances particularly vulnerable to remote attacks.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable to insider threats or compromised internal systems, though attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires obtaining target user UUIDs and basic browser console manipulation skills. No authentication needed to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.0

Vendor Advisory: https://github.com/math-geon/Geon/security/advisories/GHSA-4fv9-g2jh-j5xm

Restart Required: Yes

Instructions:

1. Download Geon version 1.1.0 from GitHub releases. 2. Replace existing Geon installation with patched version. 3. Restart the Geon application/service. 4. Verify the fix by checking version number.

🔧 Temporary Workarounds

No official workaround available

all

The vendor advisory states no known workaround exists. Patching is the only mitigation.

🧯 If You Can't Patch

Isolate Geon instances from untrusted networks and restrict access to trusted users only
Implement additional authentication layer or session validation mechanisms if possible

🔍 How to Verify

Check if Vulnerable:

Check Geon version number. If version is below 1.1.0, the system is vulnerable.

Check Version:

Check Geon application interface or configuration files for version information

Verify Fix Applied:

After patching, verify version is 1.1.0 or higher and test that UUID spoofing through browser console no longer grants unauthorized session access.

📡 Detection & Monitoring

Log Indicators:

Multiple users with same UUID joining sessions
Unauthorized session ownership changes
Suspicious browser console activity patterns

Network Indicators:

Unusual session join patterns
Multiple session ownership requests from same IP

SIEM Query:

Search for events where user UUID changes mid-session or multiple users share identical UUID values

📊 Metadata

CVE ID: CVE-2022-24781

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

CWE: CWE-384

Published: March 24, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/math-geon/Geon/commit/005456d752d5434b60026edbc83b2665b8557d19 Patch,Third Party Advisory
https://github.com/math-geon/Geon/releases/tag/v1.1.0 Release Notes,Third Party Advisory
https://github.com/math-geon/Geon/security/advisories/GHSA-4fv9-g2jh-j5xm Third Party Advisory
https://github.com/math-geon/Geon/commit/005456d752d5434b60026edbc83b2665b8557d19 Patch,Third Party Advisory
https://github.com/math-geon/Geon/releases/tag/v1.1.0 Release Notes,Third Party Advisory
https://github.com/math-geon/Geon/security/advisories/GHSA-4fv9-g2jh-j5xm Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24781, you might also want to check these: