Cross-Site WebSocket Hijacking Vulnerability in GPT Academy by Binary-Husky
CVE-2024-10956
7.1HIGH
What is CVE-2024-10956?
The GPT Academy version 3.83 is susceptible to a Cross-Site WebSocket Hijacking vulnerability that enables attackers to take control of an active WebSocket connection. By exploiting this flaw, an attacker can perform unauthorized actions, such as deleting conversation histories, without the user's knowledge. This security issue stems from inadequate authentication mechanisms for WebSocket connections and the absence of proper origin validation, leading to potential data loss and privacy breaches for users.
Affected Version(s)
binary-husky/gpt_academic <= unspecified
References
CVSS V3.1
Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged
CVSS V3.0
Score:
7.6
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved