CVE-2024-3404

In gaizhenbiao/chuanhuchatgpt, specifically the version tagged as 20240121, there exists a vulnerability due to improper access control mechanisms. This flaw allows an authenticated attacker to bypass intended access restrictions and read the `history` files of other users, potentially leading to unauthorized access to sensitive information. The vulnerability is present in the application's handling of access control for the `history` path, where no adequate mechanism is in place to prevent an authenticated user from accessing another user's chat history files. This issue poses a significant risk as it could allow attackers to obtain sensitive information from the chat history of other users.

CVSS v3.0 6.5 MEDIUM

6.5^/10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/ed32fc32-cb8f-4fbd-8209-cc835d279699	Exploit Issue Tracking Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:gaizhenbiao:chuanhuchatgpt:*:*:*:*:*:*:*:*

History

24 Sep 2024, 14:11

Type	Values Removed	Values Added
References	~~() https://huntr.com/bounties/ed32fc32-cb8f-4fbd-8209-cc835d279699 -~~	() https://huntr.com/bounties/ed32fc32-cb8f-4fbd-8209-cc835d279699 - Exploit, Issue Tracking, Patch, Third Party Advisory
First Time		Gaizhenbiao Gaizhenbiao chuanhuchatgpt
CPE		cpe:2.3:a:gaizhenbiao:chuanhuchatgpt::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5

06 Jun 2024, 19:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-06-06 19:16

Updated : 2024-09-24 14:11

NVD link : CVE-2024-3404

Mitre link : CVE-2024-3404

JSON object : View

Products Affected

gaizhenbiao

chuanhuchatgpt

CWE

CWE-284

Improper Access Control

6.5 /10