CVE-2024-5549

A CORS misconfiguration in the stitionai/devika repository allows attackers to steal sensitive information such as logs, browser sessions, and settings containing private API keys from other services. This vulnerability also enables attackers to perform actions on behalf of the user, such as...

CVE-2024-5549 Data leak through CORS misconfiguration in stitionai/devika

A CORS misconfiguration in the stitionai/devika repository allows attackers to steal sensitive information such as logs, browser sessions, and settings containing private API keys from other services. This vulnerability also enables attackers to perform actions on behalf of the user, such as...

CVE-2024-5711

A stored Cross-Site Scripting XSS vulnerability exists in the stitionai/devika chat feature, allowing attackers to inject malicious payloads into the chat input. This vulnerability is due to the lack of input validation and sanitization on both the frontend and backend components of the...

CVE-2024-5711

A stored Cross-Site Scripting XSS vulnerability exists in the stitionai/devika chat feature, allowing attackers to inject malicious payloads into the chat input. This vulnerability is due to the lack of input validation and sanitization on both the frontend and backend components of the...

CVE-2024-5711 Stored XSS in stitionai/devika

A stored Cross-Site Scripting XSS vulnerability exists in the stitionai/devika chat feature, allowing attackers to inject malicious payloads into the chat input. This vulnerability is due to the lack of input validation and sanitization on both the frontend and backend components of the...

CVE-2024-5711

The CVE-2024-5711 entry describes a stored XSS in the stitionai/devika chat feature caused by insufficient input validation/sanitization on both frontend and backend. Affected: stitionai/devika chat input across all versions. Impact per documents includes potential execution of arbitrary JavaScri...

GO-2024-2955 Gin mishandles a wildcard in the origin string in github.com/gin-contrib/cors

Gin-Gonic CORS middleware mishandles a wildcard at the end of an origin string. Examples: https://example.community/ is accepted by the origin string https://example.com/ and http://localhost.example.com/ is accepted by the origin string http://localhost/...

CVE-2024-36404

creationtimestamp| type| source ---|---|--- 2024-07-02 01:43:04+00:00| published-proof-of-concept| https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w 2024-07-09 08:10:17+00:00| published-proof-of-concept| https://t.me/CNArsenal/2767 2024-07-09 16:34:26+00:00|...

CVE-2024-5926

A path traversal vulnerability in the get-project-files functionality of stitionai/devika allows attackers to read arbitrary files from the filesystem and cause a Denial of Service DoS. This issue is present in all versions of the application. The vulnerability arises due to insufficient path...

CVE-2024-5926

CVE-2024-5926 involves a path traversal in stitionai/devika’s get-project-files function. The root cause is insufficient path sanitization for the project-name parameter, enabling an attacker to traverse the filesystem and read arbitrary files, potentially causing a Denial of Service across all v...

GO-2024-2516 Grafana XSS via a column style in github.com/grafana/grafana

Grafana XSS via a column style in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners, please suggest an edit...

GO-2024-2430 Authenticated users can crash the CubeFS servers with maliciously crafted requests in github.com/cubefs/cubefs

Authenticated users can crash the CubeFS servers with maliciously crafted requests in github.com/cubefs/cubefs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports...

GO-2024-2434 CubeFS leaks users key in logs in github.com/cubefs/cubefs

CubeFS leaks users key in logs in github.com/cubefs/cubefs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners, please suggest an edit t...

CVE-2024-5334

A local file read vulnerability exists in the stitionai/devika repository, affecting the latest version. The vulnerability is due to improper handling of the 'snapshotpath' parameter in the '/api/get-browser-snapshot' endpoint. An attacker can exploit this vulnerability by crafting a request with...

CVE-2024-5548

A directory traversal vulnerability exists in the stitionai/devika repository, specifically within the /api/download-project endpoint. Attackers can exploit this vulnerability by manipulating the 'projectname' parameter in a GET request to download arbitrary files from the system. This issue...

CVE-2024-5547

A directory traversal vulnerability exists in the /api/download-project-pdf endpoint of the stitionai/devika repository, affecting the latest version. The vulnerability arises due to insufficient sanitization of the 'projectname' parameter in the downloadprojectpdf function. Attackers can exploit...

CVE-2024-5548

A directory traversal vulnerability exists in the stitionai/devika repository, specifically within the /api/download-project endpoint. Attackers can exploit this vulnerability by manipulating the 'projectname' parameter in a GET request to download arbitrary files from the system. This issue...

CVE-2024-5548 Directory Traversal in stitionai/devika

A directory traversal vulnerability exists in the stitionai/devika repository, specifically within the /api/download-project endpoint. Attackers can exploit this vulnerability by manipulating the 'projectname' parameter in a GET request to download arbitrary files from the system. This issue...

CVE-2024-5334 Local File Read in stitionai/devika

A local file read vulnerability exists in the stitionai/devika repository, affecting the latest version. The vulnerability is due to improper handling of the 'snapshotpath' parameter in the '/api/get-browser-snapshot' endpoint. An attacker can exploit this vulnerability by crafting a request with...

CVE-2024-5334

Summary of CVE-2024-5334 (Devika): A local file read vulnerability exists in the stitionai/devika repository due to improper handling of the ‘snapshot_path’ parameter in the POST/GET endpoint “/api/get-browser-snapshot.” Attackers can craft a request with a malicious snapshot_path to read arbitra...