Back

CVE-2024-3851

May 16, 2024, 1:03 p.m.

Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.

Products

imartinez/privategpt

  • latest version

imartinez/privategpt

Source

security@huntr.dev

Tags

CWE-79
security@huntr.dev
2024-05-16
CVE-2024-3851

CVE-2024-3851 details

Published : May 16, 2024, 9:15 a.m.
Last Modified : May 16, 2024, 1:03 p.m.

Description

A stored Cross-Site Scripting (XSS) vulnerability exists in the 'imartinez/privategpt' repository due to improper validation of file uploads. Attackers can exploit this vulnerability by uploading malicious HTML files, such as those containing JavaScript payloads, which are then executed in the context of the victim's session when accessed. This could lead to the execution of arbitrary JavaScript code in the context of the user's browser session, potentially resulting in phishing attacks or other malicious actions. The vulnerability affects the latest version of the repository.

CVSS Score

1 2 3 4 5 6.8 7 8 9 10

Weakness

Weakness Name Description

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

Base Score

6.8

Exploitability Score

Impact Score

Base Severity

MEDIUM

Vector String : CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

References

URL Source
https://huntr.com/bounties/cae1a492-4e09-4d56-8e11-17703bdfe653 security@huntr.dev
This website uses the NVD API, but is not approved or certified by it.