Stored Cross-site Scripting Vulnerability in Dify by langgenius
CVE-2024-11850
6.8MEDIUM
What is CVE-2024-11850?
A stored XSS vulnerability exists in Dify due to inadequate validation and sanitization of user inputs in the chatbot's SVG markdown support. This flaw allows attackers to inject malicious SVG content that can execute arbitrary JavaScript when viewed by an admin. Such exploitation can lead to severe consequences, including unauthorized access to sensitive data and potential credential theft.
Affected Version(s)
langgenius/dify <= unspecified