CVE-2024-11824

MEDIUM Year: 2024
CVSS v3 Score
5.8
Medium
Weakness Type
CWE-79
View all →

Vulnerability Description

A stored cross-site scripting (XSS) vulnerability exists in langgenius/dify version latest, specifically in the chat log functionality. The vulnerability arises because certain HTML tags like <input> and <form> are not disallowed, allowing an attacker to inject malicious HTML into the log via prompts. When an admin views the log containing the malicious HTML, the attacker could steal the admin's credentials or sensitive information. This issue is fixed in version 0.12.1.

Related Vulnerabilities

CVE-2019-11507

MEDIUM
CVSS:5.8(Medium)

In Pulse Secure Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1 and 9.0.x before 9.0R3, an XSS issue has been found on the Application Launcher page.

CWE-792019

CVE-2020-9405

MEDIUM
CVSS:5.8(Medium)

IBL Online Weather before 4.3.5a allows unauthenticated reflected XSS via the redirect page.

CWE-792020

CVE-2022-3211

MEDIUM
CVSS:5.8(Medium)

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.6.

CWE-792022

CVE-2023-0337

MEDIUM
CVSS:5.8(Medium)

Cross-site Scripting (XSS) - Reflected in GitHub repository lirantal/daloradius prior to master-branch.

CWE-792023

CVE-2023-0338

MEDIUM
CVSS:5.8(Medium)

Cross-site Scripting (XSS) - Reflected in GitHub repository lirantal/daloradius prior to master-branch.

CWE-792023

CVE-2023-2021

MEDIUM
CVSS:5.8(Medium)

Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.3.

CWE-792023