This issue affects DropBox Sign(HelloSign): through 2024-12-04.
"}],"value":"User Interface (UI) Misrepresentation of Critical Information vulnerability in DropBox Sign(HelloSign) allows Content Spoofing.\nDisplayed version does not show the layer flattened version, once download, If printed (e.g. via Google Chrome -> Examine the print preview): Will render the vulnerability only, not all layers are flattened.\nThis issue affects DropBox Sign(HelloSign): through 2024-12-04."}],"exploits":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Known, potentially in use (e.g., spear phishing)"}],"value":"Known, potentially in use (e.g., spear phishing)"}],"impacts":[{"capecId":"CAPEC-148","descriptions":[{"lang":"en","value":"CAPEC-148 Content Spoofing"}]}],"metrics":[{"cvssV4_0":{"Automatable":"YES","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"LOCAL","baseScore":8.2,"baseSeverity":"HIGH","privilegesRequired":"NONE","providerUrgency":"RED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"HIGH","userInteraction":"PASSIVE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/AU:Y/U:Red","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]},{"other":{"content":{"id":"CVE-2024-52270","options":[{"Exploitation":"active"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"Coordinator","version":"2.0.3"},"type":"ssvc"}},{"other":{"content":{"Automatable":"Yes","Exploitation":"Active","Technical Impact":"Partial","Value Density":"Diffused","version":"2.0"},"type":"SSVCv2.0"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-451","description":"CWE-451 User Interface (UI) Misrepresentation of Critical Information","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe","shortName":"VULSec","dateUpdated":"2024-12-05T16:52:35.673Z"},"references":[{"tags":["vdb-entry"],"url":"https://www.vulsec.org/advisories"},{"tags":["exploit"],"url":"https://www.loom.com/share/48f63594e14c49e19840ad9cb7d60453?sid=816c6afa-0b67-4b0b-98ff-d5c58d464038"},{"tags":["exploit"],"url":"https://new.space/s/ZuHoujvkjdzfY7Uihah7Yg#SKWLU_g2Cihfj4qsq9XNy6F4saxVAzD876PujiDOYfs"},{"tags":["exploit"],"url":"https://drive.proton.me/urls/Z6DHXNRZQC#jkfO38rjOiOj"},{"tags":["product"],"url":"https://sign.dropbox.com/"},{"tags":["product"],"url":"https://app.hellosign.com/"}],"source":{"discovery":"USER"},"tags":["x_known-exploited-vulnerability","exclusively-hosted-service"],"title":"PDF Document Spoofing in DropBox Sign(HelloSign)","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"* If other party initiated e-signing - Download the PDF file for a security professionals/educated persons inspection