CVE-2024-10101

A stored cross-site scripting (XSS) vulnerability exists in binary-husky/gpt_academic version 3.83. The vulnerability occurs at the /file endpoint, which renders HTML files. Malicious HTML files containing XSS payloads can be uploaded and stored in the backend, leading to the execution of the payload in the victim's browser when the file is accessed. This can result in the theft of session cookies or other sensitive information.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Exploitability : 2.8 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://huntr.com/bounties/0436d96a-a2c4-4ca5-9f3c-fd68eb74d2cb

Configurations

No configuration.

History

18 Oct 2024, 12:52

Type	Values Removed	Values Added
Summary		(es) Existe una vulnerabilidad de cross-site scripting (XSS) almacenado en la versión 3.83 de binary-husky/gpt_academic. La vulnerabilidad se produce en el endpoint /file, que procesa archivos HTML. Los archivos HTML maliciosos que contienen payloads XSS se pueden cargar y almacenar en el backend, lo que lleva a la ejecución de el payload en el navegador de la víctima cuando se accede al archivo. Esto puede provocar el robo de cookies de sesión u otra información confidencial.

17 Oct 2024, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-17 19:15

Updated : 2024-10-18 12:52

NVD link : CVE-2024-10101

Mitre link : CVE-2024-10101

CVE.ORG link : CVE-2024-10101

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

8.2 /10