CVE-2024-5887

17 Jul 2024, 12:15

Type	Values Removed	Values Added
Summary	(es) Cross-Site Request Forgery (CSRF) en stitionai/devika
Summary	(en) A Cross-Site Request Forgery (CSRF) vulnerability exists in stitionai/devika due to a loosely set CORS policy. This vulnerability allows an attacker to exploit any API endpoint if the user hosting the server visits an attacker-controlled website. The impact includes the ability to read and write files on the system, create or delete projects, and change settings. However, it does not allow sending messages or commands to the model via WebSocket.	(en) Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
References	{'url': 'https://huntr.com/bounties/aa4f1c38-5b38-4cdc-91e1-68d3ec2350f2', 'source': 'security@huntr.dev'}
CVSS	v2 : unknown v3 : 8.8	v2 : unknown v3 : unknown
CWE	CWE-352

---

12 Jul 2024, 08:15

Type	Values Removed	Values Added
Summary	(en) Cross-Site Request Forgery (CSRF) in stitionai/devika	(en) A Cross-Site Request Forgery (CSRF) vulnerability exists in stitionai/devika due to a loosely set CORS policy. This vulnerability allows an attacker to exploit any API endpoint if the user hosting the server visits an attacker-controlled website. The impact includes the ability to read and write files on the system, create or delete projects, and change settings. However, it does not allow sending messages or commands to the model via WebSocket.

---

05 Jul 2024, 12:55

Type	Values Removed	Values Added
Summary		(es) Cross-Site Request Forgery (CSRF) en stitionai/devika

---

03 Jul 2024, 18:15

Type	Values Removed	Values Added
New CVE

---