CVE-2024-7819

A CORS misconfiguration in danswer-ai/danswer v1.4.1 allows attackers to steal sensitive information such as chat contents, API keys, and other data. This vulnerability occurs due to improper validation of the origin header, enabling malicious web pages to make unauthorized requests to the...

CVE-2024-7767

An improper access control vulnerability exists in danswer-ai/danswer version v0.3.94. This vulnerability allows the first user created in the system to view, modify, and delete chats created by an Admin. This can lead to unauthorized access to sensitive information, loss of data integrity, and...

CVE-2024-7767

An improper access control vulnerability exists in danswer-ai/danswer version v0.3.94. This vulnerability allows the first user created in the system to view, modify, and delete chats created by an Admin. This can lead to unauthorized access to sensitive information, loss of data integrity, and...

CVE-2024-7767 Improper Access Control in danswer-ai/danswer

An improper access control vulnerability exists in danswer-ai/danswer version v0.3.94. This vulnerability allows the first user created in the system to view, modify, and delete chats created by an Admin. This can lead to unauthorized access to sensitive information, loss of data integrity, and...

CVE-2024-7767

CVE-2024-7767 affects danswer-ai/danswer v0.3.94. The root cause is improper access control, enabling the first user created in the system to view, modify, and delete chats created by an Admin. Reported impact includes unauthorized access to sensitive information and potential data integrity issu...

CVE-2024-9612 Unauthorized Access in danswer-ai/danswer

In danswer-ai/danswer v0.3.94, administrators can set the visibility of pages within a workspace, including the search page. When the search page is set to be invisible, regular users cannot view the search page or access its functionalities from the front-end interface. However, the back-end doe...

CVE-2024-9612 Unauthorized Access in danswer-ai/danswer

In danswer-ai/danswer v0.3.94, administrators can set the visibility of pages within a workspace, including the search page. When the search page is set to be invisible, regular users cannot view the search page or access its functionalities from the front-end interface. However, the back-end doe...

CVE-2024-9612

In danswer-ai/danswer v0.3.94, the vulnerability stems from the back-end not validating the visibility status of the search page. Administrators can hide the search page from the front-end, but regular users can still access its functionalities by directly calling the API, bypassing the visibilit...

CVE-2024-8057

CVE-2024-8057 concerns the Danswer AI project (danswer, version 0.4.1) where a basic user can create credentials and link them to an existing connector due to insufficient access control. The issue arises because an unauthenticated user can sign up with a basic account and perform actions that sh...

CVE-2024-9617

Summary: CVE-2024-9617 describes an Insecure Direct Object Reference in danswer-ai/danswer v0.3.94 where an attacker can view any user file via GET /api/chat/file/{file_id} due to missing ownership checks. Details from connected docs: • Vulnerable component: Danswer application (v0.3.94). • Root ...

CVE-2024-9617 IDOR in danswer-ai/danswer

An IDOR vulnerability in danswer-ai/danswer v0.3.94 allows an attacker to view any files. The application does not verify whether the attacker is the creator of the file, allowing the attacker to directly call the GET /api/chat/file/fileid interface to view any user's file...

CVE-2024-9617 IDOR in danswer-ai/danswer

An IDOR vulnerability in danswer-ai/danswer v0.3.94 allows an attacker to view any files. The application does not verify whether the attacker is the creator of the file, allowing the attacker to directly call the GET /api/chat/file/fileid interface to view any user's file...

CVE-2024-7957

The CVE-2024-7957 entry describes an arbitrary file overwrite vulnerability in the ZulipConnector of danswer-ai/danswer. The root cause is in load_credentials where user-controlled input for realm_name and zuliprc_content is used to construct file paths and write contents, enabling overwriting or...

CVE-2024-8065 CSRF in danswer-ai/danswer

A Cross-Site Request Forgery CSRF vulnerability in version v1.4.1 of danswer-ai/danswer allows attackers to perform unauthorized actions in the context of the victim's browser. This includes connecting the victim's application with a malicious Slack Bot, inviting users, and deleting chats, among...

CVE-2024-8065 CSRF in danswer-ai/danswer

A Cross-Site Request Forgery CSRF vulnerability in version v1.4.1 of danswer-ai/danswer allows attackers to perform unauthorized actions in the context of the victim's browser. This includes connecting the victim's application with a malicious Slack Bot, inviting users, and deleting chats, among...

CVE-2025-0182 Denial of Service in danswer-ai/danswer

A vulnerability in danswer-ai/danswer version 0.9.0 allows for denial of service through memory exhaustion. The issue arises from the use of a vulnerable version of the starlette package =0.49 via fastapi, which was patched in fastapi version 0.115.3. The vulnerability can be exploited by sending...

CVE-2025-0182 Denial of Service in danswer-ai/danswer

A vulnerability in danswer-ai/danswer version 0.9.0 allows for denial of service through memory exhaustion. The issue arises from the use of a vulnerable version of the starlette package =0.49 via fastapi, which was patched in fastapi version 0.115.3. The vulnerability can be exploited by sending...

CVE-2025-0182

The CVE-2025-0182 entry affects danswer-ai/danswer (v0.9.0). The root cause is use of a vulnerable Starlette version (

CVE-2024-8028 Denial of Service in danswer-ai/danswer

A vulnerability in danswer-ai/danswer v0.3.94 allows an attacker to cause a Denial of Service DoS by uploading a file with a malformed multipart boundary. By appending a large number of characters to the end of the multipart boundary, the server continuously processes each character, rendering th...

CVE-2024-8028 Denial of Service in danswer-ai/danswer

A vulnerability in danswer-ai/danswer v0.3.94 allows an attacker to cause a Denial of Service DoS by uploading a file with a malformed multipart boundary. By appending a large number of characters to the end of the multipart boundary, the server continuously processes each character, rendering th...