CVE-2024-8143

Unauthorized Access to User Chat History in gaizhenbiao/chuanhuchatgpt

CVSS 6.5 MEDIUMEPSS 0.5%CWE-1057

Vexday Risk Score

13Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 6.5EPSS 0.5%KEV nãoPoC —Patch —

Ciclo de vida

29 out 2024Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

In the latest version (20240628) of gaizhenbiao/chuanhuchatgpt, an issue exists in the /file endpoint that allows authenticated users to access the chat history of other users. When a user logs in, a directory is created in the history folder with the user's name. By manipulating the /file endpoint, an authenticated user can enumerate and access files in other users' directories, leading to unauthorized access to private chat histories. This vulnerability can be exploited to read any user's private chat history.

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Produtos afetados

gaizhenbiao · gaizhenbiao/chuanhuchatgpt

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/gaizhenbiao/chuanhuchatgpt/commit/ccc7479ace5c9e1a1d9f4daf2e794ffd3865fc2b https://huntr.com/bounties/71c5ea4b-524a-4173-8fd4-2fbabd69502e