6.5

CVE-2024-5278

Exploit

EPSS 0.51%
Veröffentlicht 06.06.2024 19:16:07
Zuletzt bearbeitet 15.10.2025 13:15:46
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

gaizhenbiao/chuanhuchatgpt is vulnerable to an unrestricted file upload vulnerability due to insufficient validation of uploaded file types in its `/upload` endpoint. Specifically, the `handle_file_upload` function does not sanitize or validate the file extension or content type of uploaded files, allowing attackers to upload files with arbitrary extensions, including HTML files containing XSS payloads and Python files. This vulnerability, present in the latest version as of 20240310, could lead to stored XSS attacks and potentially result in remote code execution (RCE) on the server hosting the application.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Gaizhenbiao ≫ Chuanhuchatgpt Version < 20240919

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.51%	0.656

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security@huntr.dev	6.5	2.8	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

https://huntr.com/bounties/ea821d86-941b-40f3-a857-91f758848e05

Third Party Advisory

Exploit

https://github.com/gaizhenbiao/chuanhuchatgpt/commit/22007a77f037c0cf76180f9b73a8d19e87dad02e

https://nvd.nist.gov/vuln/detail/CVE-2024-5278

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-5278

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-5278

EUVD