Products
gaizhenbiao/chuanhuchatgpt
- 20240410
Source
security@huntr.dev
Tags
CVE-2024-6035 details
Published : July 11, 2024, 11:15 a.m.
Last Modified : July 11, 2024, 1:05 p.m.
Last Modified : July 11, 2024, 1:05 p.m.
Description
A Stored Cross-Site Scripting (XSS) vulnerability exists in gaizhenbiao/chuanhuchatgpt version 20240410. This vulnerability allows an attacker to inject malicious JavaScript code into the chat history file. When a victim uploads this file, the malicious script is executed in the victim's browser. This can lead to user data theft, session hijacking, malware distribution, and phishing attacks.
CVSS Score
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9.3 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
Base Score
9.3
Exploitability Score
2.8
Impact Score
5.8
Base Severity
CRITICAL
Vector String : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
References
| URL | Source |
|---|---|
| https://huntr.com/bounties/e4e8da71-53a9-4540-8d70-6b670b076987 | security@huntr.dev |
This website uses the NVD API, but is not approved or certified by it.