CVE-2024-5549

Exploit

EPSS 0.29%
Veröffentlicht 09.07.2024 00:15:02
Zuletzt bearbeitet 15.07.2025 13:23:08
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

Data leak through CORS misconfiguration in stitionai/devika

A CORS misconfiguration in the stitionai/devika repository allows attackers to steal sensitive information such as logs, browser sessions, and settings containing private API keys from other services. This vulnerability also enables attackers to perform actions on behalf of the user, such as deleting projects or sending messages. The issue arises from the lack of proper origin validation, allowing unauthorized cross-origin requests to be executed. The vulnerability is present in all versions of the repository, as no fixed version has been specified.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Stitionai ≫ Devika Version1.0

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.29%	0.205

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@huntr.dev	8.1	2.8	5.2	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE-346 Origin Validation Error

The product does not properly verify that the source of data or communication is valid.

https://github.com/stitionai/devika/commit/6acce21fb08c3d1123ef05df6a33912bf0ee77c2

Patch

https://huntr.com/bounties/7ffeb896-27c8-429d-b241-4f7d6dda0afd

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-5549

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-5549

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-5549

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-5549