@huntr_aiVULNRICHMENT:CVE-2024-5711CVE-2024-5711 Stored XSS in stitionai/devika
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
17.3%
SSVC
Exploitation
poc
Automatable
no
Technical Impact
partial
A stored Cross-Site Scripting (XSS) vulnerability exists in the stitionai/devika chat feature, allowing attackers to inject malicious payloads into the chat input. This vulnerability is due to the lack of input validation and sanitization on both the frontend and backend components of the application. Specifically, the application fails to sanitize user input in the chat feature, leading to the execution of arbitrary JavaScript code in the context of the user’s browser session. This issue affects all versions of the application. The impact of this vulnerability includes the potential for stolen credentials, extraction of sensitive information from chat logs, projects, and other data accessible through the application.
ADP Affected
[
{
"cpes": [
"cpe:2.3:a:stitionai:devika:*:*:*:*:*:*:*:*"
],
"vendor": "stitionai",
"product": "devika",
"versions": [
{
"status": "affected",
"version": "0",
"lessThan": "6acce21",
"versionType": "custom"
}
],
"defaultStatus": "unknown"
}
]Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
17.3%
SSVC
Exploitation
poc
Automatable
no
Technical Impact
partial