CVE-2024-7957

An arbitrary file overwrite vulnerability exists in the ZulipConnector of danswer-ai/danswer, affecting the latest version. The vulnerability arises from the loadcredentials method, where user-controlled input for realmname and zuliprccontent is used to construct file paths and write file content...

CVE-2024-8065

A Cross-Site Request Forgery CSRF vulnerability in version v1.4.1 of danswer-ai/danswer allows attackers to perform unauthorized actions in the context of the victim's browser. This includes connecting the victim's application with a malicious Slack Bot, inviting users, and deleting chats, among...

CVE-2024-7767 Improper Access Control in danswer-ai/danswer

An improper access control vulnerability exists in danswer-ai/danswer version v0.3.94. This vulnerability allows the first user created in the system to view, modify, and delete chats created by an Admin. This can lead to unauthorized access to sensitive information, loss of data integrity, and...

CVE-2024-7957

The CVE-2024-7957 entry describes an arbitrary file overwrite vulnerability in the ZulipConnector of danswer-ai/danswer. The root cause is in load_credentials where user-controlled input for realm_name and zuliprc_content is used to construct file paths and write contents, enabling overwriting or...

CVE-2025-0182 Denial of Service in danswer-ai/danswer

A vulnerability in danswer-ai/danswer version 0.9.0 allows for denial of service through memory exhaustion. The issue arises from the use of a vulnerable version of the starlette package =0.49 via fastapi, which was patched in fastapi version 0.115.3. The vulnerability can be exploited by sending...

CVE-2024-8028 Denial of Service in danswer-ai/danswer

A vulnerability in danswer-ai/danswer v0.3.94 allows an attacker to cause a Denial of Service DoS by uploading a file with a malformed multipart boundary. By appending a large number of characters to the end of the multipart boundary, the server continuously processes each character, rendering th...