CVE-2024-5711

MEDIUM EPSS 37.7%
Published Jul 8, 20241y ago · Modified Jun 17, 20261w ago
6.1 CVSS 3.1
Medium
Find Similar
Published Jul 8, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

A stored Cross-Site Scripting (XSS) vulnerability exists in the stitionai/devika chat feature, allowing attackers to inject malicious payloads into the chat input. This vulnerability is due to the lack of input validation and sanitization on both the frontend and backend components of the application. Specifically, the application fails to sanitize user input in the chat feature, leading to the execution of arbitrary JavaScript code in the context of the user's browser session. This issue affects all versions of the application. The impact of this vulnerability includes the potential for stolen credentials, extraction of sensitive information from chat logs, projects, and other data accessible through the application.

CVSS Details

Base Score
6.1
Exploitability
2.8
Impact
2.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
37.7% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
stitionaidevika*any

References 2

  • github.com https://github.com/stitionai/devika/commit/6acce21fb08c3d1123ef05df6a33912bf0ee77c2
    Patch
  • huntr.com https://huntr.com/bounties/6c00ff84-574b-4b4f-bd58-aa7ec1809662
    ExploitPatch

Remediation

  • github.com https://github.com/stitionai/devika/commit/6acce21fb08c3d1123ef05df6a33912bf0ee77c2
    Patch
  • huntr.com https://huntr.com/bounties/6c00ff84-574b-4b4f-bd58-aa7ec1809662
    ExploitPatch