THREATINT

We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Fathom (Privacy friendly web analytics)
Zendesk (Helpdesk and Chat)

Ok

Home | EN
Support
CVE
PUBLISHED

CVE-2024-5887

CSRF in stitionai/devika

Assigner@huntr_ai
Reserved2024-06-11
Published2024-07-03
Updated2024-07-12

Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in stitionai/devika due to a loosely set CORS policy. This vulnerability allows an attacker to exploit any API endpoint if the user hosting the server visits an attacker-controlled website. The impact includes the ability to read and write files on the system, create or delete projects, and change settings. However, it does not allow sending messages or commands to the model via WebSocket.



HIGH: 8.8CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

CWE-352 Cross-Site Request Forgery (CSRF)

Product status

Any version
affected

References

https://huntr.com/bounties/aa4f1c38-5b38-4cdc-91e1-68d3ec2350f2

cve.org CVE-2024-5887

nvd.nist.gov CVE-2024-5887

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-5887