CVE-2024-9612
Last modified
CVE-2024-9612 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. In danswer-ai/danswer v0.3.94, administrators can set the visibility of pages within a workspace, including the search page. When the search page is set to be invisible, regular users cannot view the search page or access its functionalities from the front-end interface. EPSS estimates a 0.66% chance of exploitation in the next 30 days.
Description
In danswer-ai/danswer v0.3.94, administrators can set the visibility of pages within a workspace, including the search page. When the search page is set to be invisible, regular users cannot view the search page or access its functionalities from the front-end interface. However, the back-end does not verify the visibility status of the search page. Consequently, attackers can directly call the API to access the functionalities provided by the search page, bypassing the visibility restriction set by the administrator.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Onyx | Onyx | 0.3.94 |
References
- https://huntr.com/bounties/c1046fa0-a719-475e-ba62-2b97873fbac4Exploit, Third Party Advisory
- https://huntr.com/bounties/c1046fa0-a719-475e-ba62-2b97873fbac4Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2024-9612?
How severe is CVE-2024-9612?
How do I fix CVE-2024-9612?
Are you affected by CVE-2024-9612?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST