Lucene search
K
StitionaiDevika

11 matches found

CVE
CVE
added 2024/06/27 5:33 p.m.197 views

CVE-2024-5334

Summary of CVE-2024-5334 (Devika): A local file read vulnerability exists in the stitionai/devika repository due to improper handling of the ‘snapshot_path’ parameter in the POST/GET endpoint “/api/get-browser-snapshot.” Attackers can craft a request with a malicious snapshot_path to read arbitra...

7.5CVSS7.3AI score0.02073EPSS
In wildWeb
CVE
CVE
added 2024/07/24 12:0 a.m.130 views

CVE-2024-40422

CVE-2024-40422 concerns path traversal in the Devika v1 snapshot API. Affected: stitionai devika version v1, endpoint /api/get-browser-snapshot. Root cause: manipulation of the snapshot_path parameter lets an attacker traverse directories and access sensitive server files, enabling confidentialit...

9.1CVSS6.4AI score0.11414EPSS
Web
CVE
CVE
added 2024/06/30 12:0 a.m.69 views

CVE-2024-5926

CVE-2024-5926 involves a path traversal in stitionai/devika’s get-project-files function. The root cause is insufficient path sanitization for the project-name parameter, enabling an attacker to traverse the filesystem and read arbitrary files, potentially causing a Denial of Service across all v...

9.1CVSS9.1AI score0.00864EPSS
CVE
CVE
added 2024/07/09 12:0 a.m.68 views

CVE-2024-5549

CVE-2024-5549 involves a CORS misconfiguration in the stitionai/devika repository. The root cause is improper origin validation, permitting unauthorized cross-origin requests. Impact stated includes data leakage (logs, browser sessions, private API keys) and the ability to perform actions on beha...

8.1CVSS7.9AI score0.00291EPSS
CVE
CVE
added 2024/07/08 12:0 a.m.54 views

CVE-2024-5711

The CVE-2024-5711 entry describes a stored XSS in the stitionai/devika chat feature caused by insufficient input validation/sanitization on both frontend and backend. Affected: stitionai/devika chat input across all versions. Impact per documents includes potential execution of arbitrary JavaScri...

8.1CVSS6.3AI score0.00477EPSS
CVE
CVE
added 2024/06/27 5:33 p.m.53 views

CVE-2024-5547

CVE-2024-5547 is a directory traversal vulnerability in the stitionai/devika repository, exposed via the GET /api/download-project-pdf endpoint. The issue stems from insufficient sanitization of the project_name parameter in the download_project_pdf function, enabling an attacker to manipulate th...

7.5CVSS7.4AI score0.01EPSS
Web
CVE
CVE
added 2024/06/28 7:19 p.m.46 views

CVE-2024-5712

The CVE-2024-5712 entry concerns stitionai/devika (latest version) with a Cross-Site Request Forgery (CSRF) flaw. The underlying issue is absence of CSRF protections, allowing an attacker to trigger unauthorized actions in a victim’s browser context, such as deleting projects or changing settings...

8.1CVSS8.1AI score0.00261EPSS
CVE
CVE
added 2024/06/27 6:40 p.m.46 views

CVE-2024-5820

CVE-2024-5820 describes an unprotected WebSocket in the stitionai/devika backend (commit ecee79f). This vulnerability allows a malicious website to connect to the backend, issue commands on behalf of the user, and have the backend serve all listeners on the socket, enabling interception of user-b...

8.8CVSS7.7AI score0.00788EPSS
CVE
CVE
added 2024/08/14 1:49 p.m.44 views

CVE-2024-7790

CVE-2024-7790 describes a stored cross-site scripting vulnerability in DevikaAI affecting input handling since commit 6acce21fb08c3d1123ef05df6a33912bf0ee77c2. The root cause cited is improperly decoded user input , enabling a stored XSS condition. The CVE entries and connected sources consistent...

6.5CVSS6.4AI score0.00318EPSS
CVE
CVE
added 2024/06/27 5:33 p.m.43 views

CVE-2024-5548

Summary (CVE-2024-5548): A directory traversal vulnerability exists in the stitionai/devika repository, affecting the /api/download-project endpoint. The flaw stems from insufficient input validation in the download_project function, when handling the project_name parameter, enabling an attacker ...

7.5CVSS7.5AI score0.01021EPSS
Web
CVE
CVE
added 2024/08/04 12:0 a.m.36 views

CVE-2024-6331

CVE-2024-6331 affects stitionai/devika: Local File Read via Prompt Injection on the main branch as of commit cdfb782b0e634b773b10963c8034dc9207ba1f9f. The issue stems from prompt-injection allowing execution of commands that can read sensitive files (e.g., /etc/passwd) due to HarmBlockThreshold.B...

7.5CVSS7.6AI score0.00496EPSS