CVE-2024-6255

July 31, 2024, 12:57 p.m.

8.2
High

Description

A vulnerability in the JSON file handling of gaizhenbiao/chuanhuchatgpt version 20240410 allows any user to delete any JSON file on the server, including critical configuration files such as `config.json` and `ds_config_chatbot.json`. This issue arises due to improper validation of file paths, enabling directory traversal attacks. An attacker can exploit this vulnerability to disrupt the functioning of the system, manipulate settings, or potentially cause data loss or corruption.

Product(s) Impacted

Product Versions
gaizhenbiao/chuanhuchatgpt
  • 20240410

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-73
External Control of File Name or Path
The product allows user input to control or influence paths or file names that are used in filesystem operations.

References

https://huntr.com/bounties/48f3e370-6dcd-4f38-9350-d0419b3a7f82

Tags

security@huntr.dev
CWE-73
2024-07-31
CVE-2024-6255

CVSS Score

8.2 / 10

CVSS Data - 3.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: LOW
  • Availability Impact: HIGH

    • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

    View Vector String

Timeline

Published: July 31, 2024, 1:15 a.m.
Last Modified: July 31, 2024, 12:57 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@huntr.dev

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.