Description

An unprotected WebSocket connection in the latest version of stitionai/devika (commit ecee79f) allows a malicious website to connect to the backend and issue commands on behalf of the user. The backend serves all listeners on the given socket, enabling any such malicious website to intercept all communication between the user and the backend. This vulnerability can lead to unauthorized command execution and potential server-side request forgery.

INFO

Published Date :

2024-06-27T18:40:57.321Z

Last Modified :

2024-08-01T21:25:02.832Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2024-5820 vulnerability.

Vendors Products
Stitionai
  • Devika
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-5820.

URL Resource
https://huntr.com/bounties/2ba757bf-8ede-445b-b143-2de7769758a6 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact