CVE-2024-11824

Published: Mar 20, 2025

Modified: Mar 20, 2025

PUBLISHED

CVSS v3.0

5.8

MEDIUM

Description

A stored cross-site scripting (XSS) vulnerability exists in langgenius/dify version latest, specifically in the chat log functionality. The vulnerability arises because certain HTML tags like <input> and <form> are not disallowed, allowing an attacker to inject malicious HTML into the log via prompts. When an admin views the log containing the malicious HTML, the attacker could steal the admin's credentials or sensitive information. This issue is fixed in version 0.12.1.

Vendor	Product	Versions
langgenius	langgenius/dify	affected `unspecified - < 0.12.1`

Weaknesses (CWE)

CWE-79

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

References

https://huntr.com/bounties/72387deb-6e64-48ed-a8c3-b50d22a0970f

https://github.com/langgenius/dify/commit/55edd5047e6fcbc9bb56a4ea055fcce090f3eb5d

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-11824

Description

Affected Products

Weaknesses (CWE)

CVSS v3.0 Details

References