Cyber Resilience

CVE-2024-31206

High

Published: 04 April 2024

Published
04 April 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
EPSS Score 0.0004 13.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-31206 is a high-severity Channel Accessible by Non-Endpoint (CWE-300) vulnerability. Its CVSS base score is 8.2 (High).

Operationally, ranked at the 13.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

dectalk-tts is a Node package to interact with the aeiou Dectalk web API. In `dectalk-tts@1.0.0`, network requests to the third-party API are sent over HTTP, which is unencrypted. Unencrypted traffic can be easily intercepted and modified by attackers. Anyone who…

more

uses the package could be the victim of a man-in-the-middle (MITM) attack. The network request was upgraded to HTTPS in version `1.0.1`. There are no workarounds, but some precautions include not sending any sensitive information and carefully verifying the API response before saving it.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

Directly prevents cleartext transmission of sensitive information by requiring encryption or equivalent confidentiality protections during transit.

addresses: CWE-300 CWE-319

Restrictions and channel controls reduce the chance that VoIP media or signaling streams remain accessible to non-participants.

addresses: CWE-300 CWE-319

Directly prevents non-endpoint access or interception of the session communication path.

addresses: CWE-300 CWE-319

An out-of-band channel is inaccessible to non-endpoints that can observe or interfere with the primary communication channel.

addresses: CWE-300 CWE-319

The control restricts an inherently broadcast wireless channel to only intended endpoints, mitigating accessibility by non-endpoints.

addresses: CWE-300 CWE-319

Confidentiality and integrity protections on the transmission channel directly reduce the ability of non-endpoint actors to access or tamper with the data.

addresses: CWE-319

Role-based training covers secure transmission methods, mitigating cleartext transmission of sensitive data.

addresses: CWE-319

By requiring documented security controls for information exchanges, the control reduces the risk of cleartext transmission of sensitive data.

References