CVE-2024-3402

low-risk
Published 2024-06-06

A stored Cross-Site Scripting (XSS) vulnerability existed in version (20240121) of gaizhenbiao/chuanhuchatgpt due to inadequate sanitization and validation of model output data. Despite user-input validation efforts, the application fails to properly sanitize or validate the output from the model, allowing for the injection and execution of malicious JavaScript code within the context of a user's browser. This vulnerability can lead to the execution of arbitrary JavaScript code in the context of other users' browsers, potentially resulting in the hijacking of victims' browsers.

Do I need to act?

-
0.20% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.4/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Gaizhenbiao

References (2)

Exploit https://huntr.com/bounties/389570c4-0bf2-4bc3-84f5-2e7afdba8ed1
Exploit https://huntr.com/bounties/389570c4-0bf2-4bc3-84f5-2e7afdba8ed1
27
/ 100
low-risk
Severity 21/34 · High
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal