CVE-2024-12039
- EPSS 0.78%
- Veröffentlicht 20.03.2025 10:09:33
- Zuletzt bearbeitet 15.07.2025 15:59:02
langgenius/dify version v0.10.1 contains a vulnerability where there are no limits applied to the number of code guess attempts for password reset. This allows an unauthenticated attacker to reset owner, admin, or other user passwords within a few ho...
CVE-2024-12775
- EPSS 0.28%
- Veröffentlicht 20.03.2025 10:09:23
- Zuletzt bearbeitet 14.07.2025 18:13:49
langgenius/dify version 0.10.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the test functionality for the Create Custom Tool option via the REST API `POST /console/api/workspaces/current/tool-provider/api/test/pre`. Attackers can s...
CVE-2024-11824
- EPSS 0.27%
- Veröffentlicht 20.03.2025 10:09:08
- Zuletzt bearbeitet 14.07.2025 17:42:04
A stored cross-site scripting (XSS) vulnerability exists in langgenius/dify version latest, specifically in the chat log functionality. The vulnerability arises because certain HTML tags like <input> and <form> are not disallowed, allowing an attacke...
CVE-2024-11821
- EPSS 0.17%
- Veröffentlicht 20.03.2025 10:08:59
- Zuletzt bearbeitet 14.07.2025 17:25:30
A privilege escalation vulnerability exists in langgenius/dify version 0.9.1. This vulnerability allows a normal user to modify Orchestrate instructions for a chatbot created by an admin user. The issue arises because the application does not properl...
CVE-2025-1796
- EPSS 0.4%
- Veröffentlicht 20.03.2025 10:08:46
- Zuletzt bearbeitet 16.07.2025 15:15:54
A vulnerability in langgenius/dify v0.10.1 allows an attacker to take over any account, including administrator accounts, by exploiting a weak pseudo-random number generator (PRNG) used for generating password reset codes. The application uses `rando...