exploitDog

CVE-2024-5820

Опубликовано: 27 июн. 2024

Источник: nvd

CVSS3: 7.6

CVSS3: 8.8

EPSS Низкий

Описание

An unprotected WebSocket connection in the latest version of stitionai/devika (commit ecee79f) allows a malicious website to connect to the backend and issue commands on behalf of the user. The backend serves all listeners on the given socket, enabling any such malicious website to intercept all communication between the user and the backend. This vulnerability can lead to unauthorized command execution and potential server-side request forgery.

Ссылки

https://huntr.com/bounties/2ba757bf-8ede-445b-b143-2de7769758a6
Exploit
Third Party Advisory
https://huntr.com/bounties/2ba757bf-8ede-445b-b143-2de7769758a6
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:stitionai:devika:1.0:*:*:*:*:*:*:*

EPSS

Процентиль: 29%

0.00104

Низкий

7.6 High

CVSS3

8.8 High

CVSS3

Дефекты

CWE-862

Связанные уязвимости

GHSA-5hm6-hx2f-3w59

CVSS3: 7.6

github

больше 1 года назад

Missing Authorization in stitionai/devika

EPSS

Процентиль: 29%

0.00104

Низкий

7.6 High

CVSS3

8.8 High

CVSS3

Дефекты

CWE-862