PYSEC-2024-267

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/chuanhuchatgpt/PYSEC-2024-267.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2024-267

Aliases

CVE-2024-4321

Published

2024-05-16T09:15:16.327Z

Modified

2026-05-21T15:00:06.574302418Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

A Local File Inclusion (LFI) vulnerability exists in the gaizhenbiao/chuanhuchatgpt application, specifically within the functionality for uploading chat history. The vulnerability arises due to improper input validation when handling file paths during the chat history upload process. An attacker can exploit this vulnerability by intercepting requests and manipulating the 'name' parameter to specify arbitrary file paths. This allows the attacker to read sensitive files on the server, leading to information leakage, including API keys and private information. The issue affects version 20240310 of the application.

References

https://huntr.com/bounties/19a16f8e-3d92-498f-abc9-8686005f067e

Affected packages

PyPI / chuanhuchatgpt

Package

Name: chuanhuchatgpt; View open source insights on deps.dev
Purl: pkg:pypi/chuanhuchatgpt

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

20240310

Affected versions

3.*

3.2.5

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/chuanhuchatgpt/PYSEC-2024-267.yaml"