6 matches found
CVE-2024-10835
In eosphoros-ai/db-gpt version v0.6.0, the web API POST /api/v1/editor/sql/run allows execution of arbitrary SQL queries without any access control. This vulnerability can be exploited by attackers to perform Arbitrary File Write using DuckDB SQL, enabling them to write arbitrary files to the...
CVE-2024-10835
creationtimestamp| type| source ---|---|--- 2025-03-20 11:40:18+00:00| seen| https://bsky.app/profile/cyberalerts.bsky.social/post/3lksmh3wmef2v 2026-02-18 13:58:32+00:00| seen| https://gist.github.com/YLChen-007/0f5d82daccccf9d96159a381cb249b8a...
CVE-2024-10835
In eosphoros-ai/db-gpt version v0.6.0, the web API POST /api/v1/editor/sql/run allows execution of arbitrary SQL queries without any access control. This vulnerability can be exploited by attackers to perform Arbitrary File Write using DuckDB SQL, enabling them to write arbitrary files to the...
CVE-2024-10835 Arbitrary File Write via SQL Injection in eosphoros-ai/db-gpt
In eosphoros-ai/db-gpt version v0.6.0, the web API POST /api/v1/editor/sql/run allows execution of arbitrary SQL queries without any access control. This vulnerability can be exploited by attackers to perform Arbitrary File Write using DuckDB SQL, enabling them to write arbitrary files to the...
CVE-2024-10835 Arbitrary File Write via SQL Injection in eosphoros-ai/db-gpt
In eosphoros-ai/db-gpt version v0.6.0, the web API POST /api/v1/editor/sql/run allows execution of arbitrary SQL queries without any access control. This vulnerability can be exploited by attackers to perform Arbitrary File Write using DuckDB SQL, enabling them to write arbitrary files to the...
CVE-2024-10835
CVE-2024-10835 affects eosphoros-ai/db-gpt v0.6.0. The web API endpoint POST /api/v1/editor/sql/run allows executing arbitrary SQL without access control, enabling Arbitrary File Write via DuckDB SQL and potentially Remote Code Execution (RCE). Affected component: DB-GPT web API handler for edito...