Stored Cross-site Scripting Vulnerability in Dify by langgenius
CVE-2024-11850

6.8MEDIUM

Key Information:

Vendor
Langgenius
Vendor
CVE Published:
20 March 2025

Summary

A stored XSS vulnerability exists in Dify due to inadequate validation and sanitization of user inputs in the chatbot's SVG markdown support. This flaw allows attackers to inject malicious SVG content that can execute arbitrary JavaScript when viewed by an admin. Such exploitation can lead to severe consequences, including unauthorized access to sensitive data and potential credential theft.

Affected Version(s)

langgenius/dify <= unspecified

References

CVSS V3.0

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.