CVE-2024-3402

A stored Cross-Site Scripting (XSS) vulnerability existed in version (20240121) of gaizhenbiao/chuanhuchatgpt due to inadequate sanitization and validation of model output data. Despite user-input validation efforts, the application fails to properly sanitize or validate the output from the model, allowing for the injection and execution of malicious JavaScript code within the context of a user's browser. This vulnerability can lead to the execution of arbitrary JavaScript code in the context of other users' browsers, potentially resulting in the hijacking of victims' browsers.
References
Link Resource
https://huntr.com/bounties/389570c4-0bf2-4bc3-84f5-2e7afdba8ed1 Exploit Issue Tracking Patch Third Party Advisory
https://huntr.com/bounties/389570c4-0bf2-4bc3-84f5-2e7afdba8ed1 Exploit Issue Tracking Patch Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:gaizhenbiao:chuanhuchatgpt:*:*:*:*:*:*:*:*

History

21 Nov 2024, 09:29

Type Values Removed Values Added
References () https://huntr.com/bounties/389570c4-0bf2-4bc3-84f5-2e7afdba8ed1 - Exploit, Issue Tracking, Patch, Third Party Advisory () https://huntr.com/bounties/389570c4-0bf2-4bc3-84f5-2e7afdba8ed1 - Exploit, Issue Tracking, Patch, Third Party Advisory

24 Sep 2024, 14:04

Type Values Removed Values Added
CPE cpe:2.3:a:gaizhenbiao:chuanhuchatgpt:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : 6.8
v2 : unknown
v3 : 5.4
First Time Gaizhenbiao
Gaizhenbiao chuanhuchatgpt
References () https://huntr.com/bounties/389570c4-0bf2-4bc3-84f5-2e7afdba8ed1 - () https://huntr.com/bounties/389570c4-0bf2-4bc3-84f5-2e7afdba8ed1 - Exploit, Issue Tracking, Patch, Third Party Advisory

07 Jun 2024, 14:56

Type Values Removed Values Added
Summary
  • (es) Existía una vulnerabilidad de Cross-site Scripting (XSS) almacenado en la versión (20240121) de gaizhenbiao/chuanhuchatgpt debido a una sanitización y validación inadecuadas de los datos de salida del modelo. A pesar de los esfuerzos de validación de las entradas del usuario, la aplicación no sanitiza ni valida adecuadamente la salida del modelo, lo que permite la inyección y ejecución de código JavaScript malicioso dentro del contexto del navegador de un usuario. Esta vulnerabilidad puede provocar la ejecución de código JavaScript arbitrario en el contexto de los navegadores de otros usuarios, lo que podría provocar el secuestro de los navegadores de las víctimas.

06 Jun 2024, 19:16

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-06 19:16

Updated : 2024-11-21 09:29


NVD link : CVE-2024-3402

Mitre link : CVE-2024-3402

CVE.ORG link : CVE-2024-3402


JSON object : View

Products Affected

gaizhenbiao

  • chuanhuchatgpt
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')