Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-j274-m559-cj4j

Опубликовано: 20 мар. 2025
Источник: github
Github: Прошло ревью
CVSS3: 6.8

Описание

Open WebUI Vulnerable to Cross-Site Scripting (XSS) via Chat File Upload

A Stored Cross-Site Scripting (XSS) vulnerability exists in the chat file upload functionality of open-webui/open-webui version 0.3.8. An attacker can inject malicious content into a file, which, when accessed by a victim through a URL or shared chat, executes JavaScript in the victim's browser. This can lead to user data theft, session hijacking, malware distribution, and phishing attacks.

Ссылки

Пакеты

Наименование

open-webui

pip
Затронутые версииВерсия исправления

<= 0.3.8

Отсутствует

EPSS

Процентиль: 49%
0.00262
Низкий

6.8 Medium

CVSS3

CVE ID

CVE-2024-7044

Дефекты

CWE-79

Связанные уязвимости

nvd логотип

CVE-2024-7044

CVSS3: 8.9
nvd
11 месяцев назад

A Stored Cross-Site Scripting (XSS) vulnerability exists in the chat file upload functionality of open-webui/open-webui version 0.3.8. An attacker can inject malicious content into a file, which, when accessed by a victim through a URL or shared chat, executes JavaScript in the victim's browser. This can lead to user data theft, session hijacking, malware distribution, and phishing attacks.

EPSS

Процентиль: 49%
0.00262
Низкий

6.8 Medium

CVSS3

CVE ID

CVE-2024-7044

Дефекты

CWE-79