A stored cross-site scripting (XSS) vulnerability exists in comfyanonymous/comfyui version 0.2.2 and possibly earlier. The vulnerability occurs when an attacker uploads an HTML file containing a malicious XSS payload via the `/api/upload/image` endpoint. The payload is executed when the file is viewed through the `/view` API endpoint, leading to potential execution of arbitrary JavaScript code.
References
Link | Resource |
---|---|
https://huntr.com/bounties/14fb8c9a-692a-4d8c-b4b2-24c6f91a383c | Exploit Third Party Advisory |
Configurations
History
21 Oct 2024, 21:03
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:comfy:comfyui:0.2.2:*:*:*:*:*:*:* | |
References | () https://huntr.com/bounties/14fb8c9a-692a-4d8c-b4b2-24c6f91a383c - Exploit, Third Party Advisory | |
First Time |
Comfy comfyui
Comfy |
18 Oct 2024, 12:52
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
17 Oct 2024, 19:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-10-17 19:15
Updated : 2024-10-21 21:03
NVD link : CVE-2024-10099
Mitre link : CVE-2024-10099
CVE.ORG link : CVE-2024-10099
JSON object : View
Products Affected
comfy
- comfyui
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')