Arbitrary File Path Injection Vulnerability in Chat History Upload
CVE-2024-4321

7.5HIGH

Key Information:

Vendor: Gaizhenbiao
Status: Gaizhenbiao/chuanhuchatgpt
Vendor: CVE Published:; 16 May 2024

Summary

A Local File Inclusion (LFI) vulnerability has been identified in the Gaizhenbiao Chuanhu ChatGPT application, particularly in the chat history upload feature. This flaw is due to inadequate input validation surrounding file path management. An attacker can exploit this security gap by intercepting upload requests and altering the 'name' parameter, which may allow them to gain access to arbitrary files on the server. Such unauthorized access can lead to the exposure of sensitive information, such as API keys and private user data. The vulnerability affects version 20240310 of the application, emphasizing the necessity for prompt remediation to safeguard sensitive data from unauthorized disclosure.

Affected Version(s)

gaizhenbiao/chuanhuchatgpt <= unspecified

References

https://huntr.com/bounties/19a16f8e-3d92-498f-abc9-868600...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 16, 2024
Vulnerability Reserved
Apr 29, 2024

Collectors

NVD DatabaseMitre Database