CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-6035 – Stored XSS in gaizhenbiao/chuanhuchatgpt
https://notcve.org/view.php?id=CVE-2024-6035
11 Jul 2024 — A Stored Cross-Site Scripting (XSS) vulnerability exists in gaizhenbiao/chuanhuchatgpt version 20240410. This vulnerability allows an attacker to inject malicious JavaScript code into the chat history file. When a victim uploads this file, the malicious script is executed in the victim's browser. This can lead to user data theft, session hijacking, malware distribution, and phishing attacks. Existe una vulnerabilidad de Cross Site Scripting almacenado (XSS) en gaizhenbiao/chuanhuchatgpt versión 20240410. • https://huntr.com/bounties/e4e8da71-53a9-4540-8d70-6b670b076987 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-4520 – Improper Access Control in gaizhenbiao/chuanhuchatgpt
https://notcve.org/view.php?id=CVE-2024-4520
04 Jun 2024 — An improper access control vulnerability exists in the gaizhenbiao/chuanhuchatgpt application, specifically in version 20240410. This vulnerability allows any user on the server to access the chat history of any other user without requiring any form of interaction between the users. Exploitation of this vulnerability could lead to data breaches, including the exposure of sensitive personal details, financial data, or confidential conversations. Additionally, it could facilitate identity theft and manipulati... • https://huntr.com/bounties/0dd2da9f-998d-45aa-a646-97391f524000 • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34094 – ChuanhuChatGPT vulnerable to unauthorized configuration file access
https://notcve.org/view.php?id=CVE-2023-34094
02 Jun 2023 — ChuanhuChatGPT is a graphical user interface for ChatGPT and many large language models. A vulnerability in versions 20230526 and prior allows unauthorized access to the config.json file of the privately deployed ChuanghuChatGPT project, when authentication is not configured. The attacker can exploit this vulnerability to steal the API keys in the configuration file. The vulnerability has been fixed in commit bfac445. As a workaround, setting up access authentication can help mitigate the vulnerability. • https://github.com/GaiZhenbiao/ChuanhuChatGPT/commit/bfac445e799c317b0f5e738ab394032a18de62eb • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-306: Missing Authentication for Critical Function •