THREATINT

We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Fathom (Privacy friendly web analytics)
Zendesk (Helpdesk and Chat)

Ok

Home | EN
Support
CVE
PUBLISHED

CVE-2024-5547

Directory Traversal in stitionai/devika

Assigner@huntr_ai
Reserved2024-05-30
Published2024-06-27
Updated2024-07-12

Description

A directory traversal vulnerability exists in the /api/download-project-pdf endpoint of the stitionai/devika repository, affecting the latest version. The vulnerability arises due to insufficient sanitization of the 'project_name' parameter in the download_project_pdf function. Attackers can exploit this flaw by manipulating the 'project_name' parameter in a GET request to traverse the directory structure and download arbitrary PDF files from the system. This issue allows attackers to access sensitive information that could be stored in PDF format outside the intended directory.



HIGH: 7.5CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-23 Relative Path Traversal

Product status

Any version before -
affected

References

https://huntr.com/bounties/7ea0eb5f-7643-4452-bc93-a225e2090283

https://github.com/stitionai/devika/commit/6acce21fb08c3d1123ef05df6a33912bf0ee77c2

cve.org CVE-2024-5547

nvd.nist.gov CVE-2024-5547

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-5547
© Copyright 2024 THREATINT. Made in Cyprus with +