Platform
javascript
Component
chatgpt-web
Fixed in
2.11.2
A problematic cross-site scripting (XSS) vulnerability has been identified in chatgpt-web versions 2.11.1–2.11.1. This flaw allows attackers to inject malicious JavaScript code through the Description parameter, potentially compromising user sessions and executing arbitrary code within the user's browser context. The vulnerability has been publicly disclosed and a fix is available in version 2.11.2.
Successful exploitation of CVE-2023-7215 allows an attacker to inject arbitrary JavaScript code into the chatgpt-web application. This can lead to a variety of malicious actions, including session hijacking, stealing sensitive user data (such as API keys or authentication tokens), and defacing the application. The attacker could potentially redirect users to phishing sites or install malware. The impact is primarily limited to the user's browser session, but the consequences can be severe depending on the sensitivity of the data accessed within that session.
This vulnerability has been publicly disclosed and a proof-of-concept may be available. The CVSS score is LOW, indicating that exploitation is likely to require some level of user interaction. The vulnerability is tracked in the VDB as VDB-249779. Active exploitation campaigns are not currently confirmed, but the public disclosure increases the risk of opportunistic attacks.
Exploit Status
EPSS
0.20% (42% percentile)
CVSS Vector
The primary mitigation for CVE-2023-7215 is to upgrade to version 2.11.2 of chatgpt-web, which contains the fix for this vulnerability. If upgrading immediately is not possible, consider implementing input validation and sanitization on the Description parameter to prevent the injection of malicious code. While not a complete solution, this can reduce the attack surface. Review and update any existing web application firewalls (WAFs) to block requests containing suspicious JavaScript payloads in the Description parameter. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload (e.g., <script>alert('XSS')</script>) through the Description parameter and verifying that it does not execute.
Update to a version later than 2.11.1 that fixes the XSS vulnerability. Refer to the project repository on GitHub for more information about the update and patched versions. As a temporary measure, filter or escape user inputs in the 'Description' field to prevent malicious code injection.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2023-7215 is a cross-site scripting (XSS) vulnerability affecting chatgpt-web versions 2.11.1–2.11.1. It allows attackers to inject malicious JavaScript code via the Description parameter.
If you are using chatgpt-web version 2.11.1, you are potentially affected by this vulnerability. Upgrade to version 2.11.2 to mitigate the risk.
The recommended fix is to upgrade to version 2.11.2 of chatgpt-web. As a temporary workaround, implement input validation and sanitization on the Description parameter.
While active exploitation campaigns are not currently confirmed, the public disclosure increases the risk of opportunistic attacks. It's crucial to apply the patch promptly.
Refer to the chatgpt-web project's official release notes or security advisories for details on the fix and any related information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.