In the latest version (20240628) of gaizhenbiao/chuanhuchatgpt, an issue exists in the /file endpoint that allows authenticated users to access the chat history of other users. When a user logs in, a directory is created in the history folder with the user's name. By manipulating the /file endpoint, an authenticated user can enumerate and access files in other users' directories, leading to unauthorized access to private chat histories. This vulnerability can be exploited to read any user's private chat history.
References
Link | Resource |
---|---|
https://github.com/gaizhenbiao/chuanhuchatgpt/commit/ccc7479ace5c9e1a1d9f4daf2e794ffd3865fc2b | Patch |
https://huntr.com/bounties/71c5ea4b-524a-4173-8fd4-2fbabd69502e | Exploit Third Party Advisory |
Configurations
History
31 Oct 2024, 16:23
Type | Values Removed | Values Added |
---|---|---|
CWE | NVD-CWE-noinfo | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.3 |
Summary |
|
|
First Time |
Gaizhenbiao
Gaizhenbiao chuanhuchatgpt |
|
References | () https://github.com/gaizhenbiao/chuanhuchatgpt/commit/ccc7479ace5c9e1a1d9f4daf2e794ffd3865fc2b - Patch | |
References | () https://huntr.com/bounties/71c5ea4b-524a-4173-8fd4-2fbabd69502e - Exploit, Third Party Advisory | |
CPE | cpe:2.3:a:gaizhenbiao:chuanhuchatgpt:2024-06-28:*:*:*:*:*:*:* |
29 Oct 2024, 13:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-10-29 13:15
Updated : 2024-10-31 16:23
NVD link : CVE-2024-8143
Mitre link : CVE-2024-8143
CVE.ORG link : CVE-2024-8143
JSON object : View
Products Affected
gaizhenbiao
- chuanhuchatgpt
CWE