127 matches found
CVE-2025-59422 Dify Has Broken Access Control on Log Message Endpoint Allows Reading of Chats of Others
Dify is an open-source LLM app development platform. In version 1.8.1, a broken access control vulnerability on the /console/api/apps/chat-messages?conversationid=&limit=10 endpoint allows users in the same workspace to read chat messages of other users. A regular user is able to read the query...
Linux Distros Unpatched Vulnerability : CVE-2018-9240
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ncmpc through 0.29 is prone to a NULL pointer dereference flaw. If a user uses the chat screen and another client sends a long chat message, a crash and denial ...
CVE-2025-7951
A vulnerability classified as problematic has been found in code-projects Public Chat Room 1.0. This affects an unknown part of the file /sendmessage.php. The manipulation of the argument chatmsg/yourname leads to cross site scripting. It is possible to initiate the attack remotely. The exploit h...
Code-Projects Public Chat Room 代码注入漏洞
Code-Projects Public Chat Room is Code-Projects open source public chat room software. Code-Projects Public Chat Room version 1.0 suffers from a code injection vulnerability, which originates from a cross-site scripting attack due to incorrect manipulation of the chatmsg/yourname parameter in the...
Discourse 3.1.1 - Unauthenticated Chat Message Access
!/usr/bin/env ruby Title : Discourse 3.1.1 - Unauthenticated Chat Message Access CVE-2023-45131 CVSS: 7.5 High Affected: Discourse 3.1.1 stable, 3.2.0.beta2 Author ibrahimsql @ https://twitter.com/ibrahmsql Date: 2023-12-14 require 'net/http' require 'uri' require 'json' require 'openssl' require...
CVE-2023-51219
A deep link validation issue in KakaoTalk 10.4.3 allowed a remote adversary to direct users to run any attacker-controlled JavaScript within a WebView. The impact was further escalated by triggering another WebView that leaked its access token in a HTTP request header. Ultimately, this access tok...
CVE-2021-32689
Nextcloud Talk is a fully on-premises audio/video and chat communication service. In versions prior to 11.2.2, if a user was able to reuse an earlier used username, they could get access to any chat message sent to the previous user with this username. The issue was patched in versions 11.2.2 and...
CVE-2020-12772
An issue was discovered in Ignite Realtime Spark 2.8.3 and the ROAR plugin for it on Windows. A chat message can include an IMG element with a SRC attribute referencing an external host's IP address. Upon access to this external host, the NTLM hashes of the user are sent with the HTTP request. Th...
CVE-2012-0916
Heap-based buffer overflow in RenRen Talk 2.9 allows remote attackers to execute arbitrary code via a crafted image in a chat message, as demonstrated using a PNG file...
CVE-2002-2173
Buffer overflow in the IRC module of Trillian 0.725 and 0.73 allowing remote attackers to execute arbitrary code via a long DCC Chat message...
CVE-2025-46719
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.6, a vulnerability in the way certain html tags in chat messages are rendered allows attackers to inject JavaScript code into a chat transcript. The JavaScript code will be...
CVE-2025-46719 Open WebUI vulnerable to stored XSS via unescaped markdown token in MarkdownTokens.svelte leading to full account takeover and RCE via functions
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.6.6, a vulnerability in the way certain html tags in chat messages are rendered allows attackers to inject JavaScript code into a chat transcript. The JavaScript code will be...
CVE-2020-6109
An exploitable path traversal vulnerability exists in the Zoom client, version 4.6.10 processes messages including animated GIFs. A specially crafted chat message can cause an arbitrary file write, which could potentially be abused to achieve arbitrary code execution. An attacker needs to send a...
CVE-2025-0741
An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to write messages into other users chat by changing the parameter "chatid" of the POST request "/embedai/chats/sendmessage"...
CVE-2025-0740
An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to obtain chat messages belonging to other users by changing the “CHATID” of the endpoint "/embedai/chats/loadmessages?chatid="...
CVE-2025-0741 Improper Access Control vulnerability in EmbedAI
An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to write messages into other users chat by changing the parameter "chatid" of the POST request "/embedai/chats/sendmessage"...
CVE-2025-0740
CVE-2025-0740 concerns an improper access control in EmbedAI (versions 2.1 and below). An authenticated attacker can access other users’ chat messages by altering the chat_id parameter in the endpoint /embedai/chats/load_messages?chat_id=. Documents consistently describe the vulnerability as an a...
PT-2025-4036 · Embedai · Embedai
Name of the Vulnerable Software and Affected Versions: EmbedAI affected versions not specified Description: A Stored Cross-Site Scripting issue has been found, allowing an authenticated attacker to inject malicious JavaScript code into a message that will be executed when a user opens the chat...
BIT-DISCOURSE-2024-47772 Cross-site Scripting (XSS) via chat excerpts when content security policy (CSP) disabled in Discourse
Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by sending a maliciously crafted chat message and replying to it. This issue only affects sites with CSP disabled. This problem is patched in the latest version of...
Discourse 跨站脚本漏洞
Discourse is an open source community discussion platform from Discourse Open Source. The platform includes community, email, and chat room features. Discourse suffers from a cross-site scripting vulnerability. An attacker exploiting this vulnerability could execute arbitrary JavaScript on a user...