PRIOn Logo

CVE-2024-5711 Cross site scripting

Routine
Remediate Within 6 Months

CVE Information

Original CVE data

Published:
Updated:

A stored Cross-Site Scripting (XSS) vulnerability exists in the stitionai/devika chat feature, allowing attackers to inject malicious payloads into the chat input. This vulnerability is due to the lack of input validation and sanitization on both the frontend and backend components of the application. Specifically, the application fails to sanitize user input in the chat feature, leading to the execution of arbitrary JavaScript code in the context of the user's browser session. This issue affects all versions of the application. The impact of this vulnerability includes the potential for stolen credentials, extraction of sensitive information from chat logs, projects, and other data accessible through the application.

CWE: CWE-79
CVSS v2-
CVSS v36.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References
https://huntr.com/bounties/6c00ff84-574b-4b4f-bd58-aa7ec1809662
https://github.com/stitionai/devika/commit/6acce21fb08c3d1123ef05df6a33912bf0ee77c2
Affected Vendors

Stitionai - (1)

Basic Analysis

Common vulnerability metrics

Vulnerabilty type as detected by PRIOnengine

Cross site scripting

CVSS Scores as calculated by PRIOnengine
CVSS v23.5
AV:N/AC:M/AU:S/C:N/I:P/A:N
CVSS v35.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
MITRE CWE Top 25

Vulnerability weakness type is in the top 25 CWEs according to MITRE. View Mitre Top 25 CWEs

Exploits

No exploit code is reported to exist.

Active Exploitation

Vulnerability is not in CISA's Known Exploited Vulnerabilities (KEV) catalog. See the KEV Catalog

Social Network Activity

-

Threat Actor Activity

No sightings of the vulnerability within threat reports.

Cybersecurity Frameworks

How the vulnerability maps against various cybersecurity frameworks

T1591 - Gather Victim Org Information
T1590 - Gather Victim Network Information
T1589.001 - Gather Victim Identity Information (Credentials)
T1566.002 - Phishing (Spearphishing Link)
T1566 - Phishing
T1552 - Unsecured Credentials
T1539 - Steal Web Session Cookie
T1499.004 - Endpoint Denial of Service (Application or System Exploitation)
T1190 - Exploit Public-Facing Application
T1189 - Drive-by Compromise
T1082 - System Information Discovery
T1078 - Valid Accounts
T1059 - Command and Scripting Interpreter
T1021 - Remote Services
T1003 - OS Credential Dumping

Compliance Impact

How the submited vulnerability affects compliance

PCI DSS v3.2.1-6.5.8 - Improper Access Control
PCI DSS v3.2.1-6.5.7 - Cross Site Scripting
PCI DSS v3.2.1-6.5.5 - Improper Error Handling

Web Application Security Frameworks

Applicable if the issue likely affects a web application

WASC-8 - Cross Site Scripting