CVE-2024-5547

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-5547
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-5547.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-5547
Published
2024-06-27T18:15:20Z
Modified
2024-07-12T08:15:11Z
Summary
[none]
Details

A directory traversal vulnerability exists in the /api/download-project-pdf endpoint of the stitionai/devika repository, affecting the latest version. The vulnerability arises due to insufficient sanitization of the 'projectname' parameter in the downloadprojectpdf function. Attackers can exploit this flaw by manipulating the 'projectname' parameter in a GET request to traverse the directory structure and download arbitrary PDF files from the system. This issue allows attackers to access sensitive information that could be stored in PDF format outside the intended directory.

References

Affected packages

Git / github.com/stitionai/devika

Affected ranges

Type
GIT
Repo
https://github.com/stitionai/devika
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed