CVE-2024-5820

Unprotected WebSocket in stitionai/devika

CVSS 7.6 HIGHEPSS 0.8%CWE-862

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 7.6EPSS 0.8%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

27 jun 2024Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

An unprotected WebSocket connection in the latest version of stitionai/devika (commit ecee79f) allows a malicious website to connect to the backend and issue commands on behalf of the user. The backend serves all listeners on the given socket, enabling any such malicious website to intercept all communication between the user and the backend. This vulnerability can lead to unauthorized command execution and potential server-side request forgery.

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

Productos afectados

stitionai · stitionai/devika

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://huntr.com/bounties/2ba757bf-8ede-445b-b143-2de7769758a6