CVE-2024-10956
Last modified
CVE-2024-10956 is a high-severity vulnerability rated 7.1/10 on the CVSS scale. GPT Academy version 3.83 in the binary-husky/gpt_academic repository is vulnerable to Cross-Site WebSocket Hijacking (CSWSH). This vulnerability allows an attacker to hijack an existing WebSocket connection between the victim's browser and the server, enabling unauthorized actions such as deleting conversation history without the victim's consent. EPSS estimates a 0.33% chance of exploitation in the next 30 days.
Description
GPT Academy version 3.83 in the binary-husky/gpt_academic repository is vulnerable to Cross-Site WebSocket Hijacking (CSWSH). This vulnerability allows an attacker to hijack an existing WebSocket connection between the victim's browser and the server, enabling unauthorized actions such as deleting conversation history without the victim's consent. The issue arises due to insufficient WebSocket authentication and lack of origin validation.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Binary-Husky | Gpt Academic | 3.83 |
References
- https://huntr.com/bounties/0f8403ad-5f60-4eb9-9f51-8fbd2e41eda4Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2024-10956?
How severe is CVE-2024-10956?
How do I fix CVE-2024-10956?
Are you affected by CVE-2024-10956?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST