CVE-2024-10099

A stored cross-site scripting (XSS) vulnerability exists in comfyanonymous/comfyui version 0.2.2 and possibly earlier. The vulnerability occurs when an attacker uploads an HTML file containing a malicious XSS payload via the `/api/upload/image` endpoint. The payload is executed when the file is viewed through the `/view` API endpoint, leading to potential execution of arbitrary JavaScript code.
References
Link Resource
https://huntr.com/bounties/14fb8c9a-692a-4d8c-b4b2-24c6f91a383c Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:comfy:comfyui:0.2.2:*:*:*:*:*:*:*

History

21 Oct 2024, 21:03

Type Values Removed Values Added
CPE cpe:2.3:a:comfy:comfyui:0.2.2:*:*:*:*:*:*:*
References () https://huntr.com/bounties/14fb8c9a-692a-4d8c-b4b2-24c6f91a383c - () https://huntr.com/bounties/14fb8c9a-692a-4d8c-b4b2-24c6f91a383c - Exploit, Third Party Advisory
First Time Comfy comfyui
Comfy

18 Oct 2024, 12:52

Type Values Removed Values Added
Summary
  • (es) Existe una vulnerabilidad de cross-site scripting (XSS) almacenado en la versión 0.2.2 de comfyanonymous/comfyui y posiblemente en versiones anteriores. La vulnerabilidad se produce cuando un atacante carga un archivo HTML que contiene un payload XSS malicioso a través del punto de conexión `/api/upload/image`. El payload se ejecuta cuando el archivo se visualiza a través del punto de conexión de API `/view`, lo que lleva a la posible ejecución de código JavaScript arbitrario.

17 Oct 2024, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-17 19:15

Updated : 2024-10-21 21:03


NVD link : CVE-2024-10099

Mitre link : CVE-2024-10099

CVE.ORG link : CVE-2024-10099


JSON object : View

Products Affected

comfy

  • comfyui
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')