How severe is CVE-2024-5278?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.5 out of 10.

What type of vulnerability is CVE-2024-5278?

This is classified as CWE-434, which is a common weakness in software security.

CVE-2024-5278 - MEDIUM Severity | CVSS 6.5

Vulnerability Description

gaizhenbiao/chuanhuchatgpt is vulnerable to an unrestricted file upload vulnerability due to insufficient validation of uploaded file types in its `/upload` endpoint. Specifically, the `handle_file_upload` function does not sanitize or validate the file extension or content type of uploaded files, allowing attackers to upload files with arbitrary extensions, including HTML files containing XSS payloads and Python files. This vulnerability, present in the latest version as of 20240310, could lead to stored XSS attacks and potentially result in remote code execution (RCE) on the server hosting the application.

Related Vulnerabilities

CVE-2015-1785

MEDIUM

CVSS:6.5(Medium)

In nextgen-galery wordpress plugin before 2.0.77.3 there are two vulnerabilities which can allow an attacker to gain full access over the web application. The vulnerabilities lie in how the applicatio...

CWE-4342015

CVE-2015-4462

MEDIUM

CVSS:6.5(Medium)

Absolute path traversal vulnerability in the file_manager component of eFront CMS before 3.6.15.5 allows remote authenticated users to read arbitrary files via a full pathname in the "Upload file from...

CWE-4342015

CVE-2015-4463

MEDIUM

CVSS:6.5(Medium)

The file_manager component in eFront CMS before 3.6.15.5 allows remote authenticated users to bypass intended file-upload restrictions by appending a crafted parameter to the file URL.

CWE-4342015

CVE-2016-10959

MEDIUM

CVSS:6.5(Medium)

The estatik plugin before 2.3.1 for WordPress has authenticated arbitrary file upload (exploitable with CSRF) via es_media_images[] to wp-admin/admin-ajax.php.

CWE-4342016

CVE-2017-11561

MEDIUM

CVSS:6.5(Medium)

An issue was discovered in ZOHO ManageEngine OpManager 12.2. An authenticated user can upload any file they want to share in the "Group Chat" or "Alarm" section. This functionality can be abused by a ...

CWE-4342017

CVE-2017-14841

MEDIUM

CVSS:6.5(Medium)

Mojoomla Annual Maintenance Contract (AMC) Management System allows Arbitrary File Upload in profilesetting image handling.

CWE-4342017