11 matches found
CVE-2024-5334
Summary of CVE-2024-5334 (Devika): A local file read vulnerability exists in the stitionai/devika repository due to improper handling of the ‘snapshot_path’ parameter in the POST/GET endpoint “/api/get-browser-snapshot.” Attackers can craft a request with a malicious snapshot_path to read arbitra...
CVE-2024-40422
CVE-2024-40422 concerns path traversal in the Devika v1 snapshot API. Affected: stitionai devika version v1, endpoint /api/get-browser-snapshot. Root cause: manipulation of the snapshot_path parameter lets an attacker traverse directories and access sensitive server files, enabling confidentialit...
CVE-2024-5926
CVE-2024-5926 involves a path traversal in stitionai/devika’s get-project-files function. The root cause is insufficient path sanitization for the project-name parameter, enabling an attacker to traverse the filesystem and read arbitrary files, potentially causing a Denial of Service across all v...
CVE-2024-5549
CVE-2024-5549 involves a CORS misconfiguration in the stitionai/devika repository. The root cause is improper origin validation, permitting unauthorized cross-origin requests. Impact stated includes data leakage (logs, browser sessions, private API keys) and the ability to perform actions on beha...
CVE-2024-5711
The CVE-2024-5711 entry describes a stored XSS in the stitionai/devika chat feature caused by insufficient input validation/sanitization on both frontend and backend. Affected: stitionai/devika chat input across all versions. Impact per documents includes potential execution of arbitrary JavaScri...
CVE-2024-5547
CVE-2024-5547 is a directory traversal vulnerability in the stitionai/devika repository, exposed via the GET /api/download-project-pdf endpoint. The issue stems from insufficient sanitization of the project_name parameter in the download_project_pdf function, enabling an attacker to manipulate th...
CVE-2024-5712
The CVE-2024-5712 entry concerns stitionai/devika (latest version) with a Cross-Site Request Forgery (CSRF) flaw. The underlying issue is absence of CSRF protections, allowing an attacker to trigger unauthorized actions in a victim’s browser context, such as deleting projects or changing settings...
CVE-2024-5820
CVE-2024-5820 describes an unprotected WebSocket in the stitionai/devika backend (commit ecee79f). This vulnerability allows a malicious website to connect to the backend, issue commands on behalf of the user, and have the backend serve all listeners on the socket, enabling interception of user-b...
CVE-2024-7790
CVE-2024-7790 describes a stored cross-site scripting vulnerability in DevikaAI affecting input handling since commit 6acce21fb08c3d1123ef05df6a33912bf0ee77c2. The root cause cited is improperly decoded user input , enabling a stored XSS condition. The CVE entries and connected sources consistent...
CVE-2024-5548
Summary (CVE-2024-5548): A directory traversal vulnerability exists in the stitionai/devika repository, affecting the /api/download-project endpoint. The flaw stems from insufficient input validation in the download_project function, when handling the project_name parameter, enabling an attacker ...
CVE-2024-6331
CVE-2024-6331 affects stitionai/devika: Local File Read via Prompt Injection on the main branch as of commit cdfb782b0e634b773b10963c8034dc9207ba1f9f. The issue stems from prompt-injection allowing execution of commands that can read sensitive files (e.g., /etc/passwd) due to HarmBlockThreshold.B...