Stored Cross-site Scripting Vulnerability in Dify by langgenius
CVE-2024-11850
6.8MEDIUM
Summary
A stored XSS vulnerability exists in Dify due to inadequate validation and sanitization of user inputs in the chatbot's SVG markdown support. This flaw allows attackers to inject malicious SVG content that can execute arbitrary JavaScript when viewed by an admin. Such exploitation can lead to severe consequences, including unauthorized access to sensitive data and potential credential theft.
Affected Version(s)
langgenius/dify <= unspecified
References
CVSS V3.0
Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved