CVE-2024-4321

Exploit

EPSS 0.28%
Veröffentlicht 16.05.2024 09:15:16
Zuletzt bearbeitet 10.07.2025 16:21:16
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

A Local File Inclusion (LFI) vulnerability exists in the gaizhenbiao/chuanhuchatgpt application, specifically within the functionality for uploading chat history. The vulnerability arises due to improper input validation when handling file paths during the chat history upload process. An attacker can exploit this vulnerability by intercepting requests and manipulating the 'name' parameter to specify arbitrary file paths. This allows the attacker to read sensitive files on the server, leading to information leakage, including API keys and private information. The issue affects version 20240310 of the application.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Gaizhenbiao ≫ Chuanhuchatgpt Version20240310

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.28%	0.515

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@huntr.dev	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://huntr.com/bounties/19a16f8e-3d92-498f-abc9-8686005f067e

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-4321

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-4321

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-4321

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-4321