CVE-2024-5711

A stored Cross-Site Scripting (XSS) vulnerability exists in the stitionai/devika chat feature, allowing attackers to inject malicious payloads into the chat input. This vulnerability is due to the lack of input validation and sanitization on both the frontend and backend components of the application. Specifically, the application fails to sanitize user input in the chat feature, leading to the execution of arbitrary JavaScript code in the context of the user's browser session. This issue affects all versions of the application. The impact of this vulnerability includes the potential for stolen credentials, extraction of sensitive information from chat logs, projects, and other data accessible through the application.
Configurations

Configuration 1 (hide)

cpe:2.3:a:stitionai:devika:-:*:*:*:*:*:*:*

History

21 Nov 2024, 09:48

Type Values Removed Values Added
References () https://github.com/stitionai/devika/commit/6acce21fb08c3d1123ef05df6a33912bf0ee77c2 - Patch () https://github.com/stitionai/devika/commit/6acce21fb08c3d1123ef05df6a33912bf0ee77c2 - Patch
References () https://huntr.com/bounties/6c00ff84-574b-4b4f-bd58-aa7ec1809662 - Exploit, Patch () https://huntr.com/bounties/6c00ff84-574b-4b4f-bd58-aa7ec1809662 - Exploit, Patch

11 Jul 2024, 21:15

Type Values Removed Values Added
Summary (en) Cross-site Scripting (XSS) - Stored in GitHub repository stitionai/devika prior to -. (en) A stored Cross-Site Scripting (XSS) vulnerability exists in the stitionai/devika chat feature, allowing attackers to inject malicious payloads into the chat input. This vulnerability is due to the lack of input validation and sanitization on both the frontend and backend components of the application. Specifically, the application fails to sanitize user input in the chat feature, leading to the execution of arbitrary JavaScript code in the context of the user's browser session. This issue affects all versions of the application. The impact of this vulnerability includes the potential for stolen credentials, extraction of sensitive information from chat logs, projects, and other data accessible through the application.

11 Jul 2024, 14:54

Type Values Removed Values Added
CPE cpe:2.3:a:stitionai:devika:-:*:*:*:*:*:*:*
First Time Stitionai
Stitionai devika
CVSS v2 : unknown
v3 : 8.1
v2 : unknown
v3 : 6.1
References () https://github.com/stitionai/devika/commit/6acce21fb08c3d1123ef05df6a33912bf0ee77c2 - () https://github.com/stitionai/devika/commit/6acce21fb08c3d1123ef05df6a33912bf0ee77c2 - Patch
References () https://huntr.com/bounties/6c00ff84-574b-4b4f-bd58-aa7ec1809662 - () https://huntr.com/bounties/6c00ff84-574b-4b4f-bd58-aa7ec1809662 - Exploit, Patch

08 Jul 2024, 15:49

Type Values Removed Values Added
Summary
  • (es) Cross-site Scripting (XSS) almacenado en el repositorio de GitHub stitionai/devika antes de -.

08 Jul 2024, 00:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-08 00:15

Updated : 2024-11-21 09:48


NVD link : CVE-2024-5711

Mitre link : CVE-2024-5711

CVE.ORG link : CVE-2024-5711


JSON object : View

Products Affected

stitionai

  • devika
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')