Plateforme
javascript
Composant
chatgpt-web
Corrigé dans
2.11.2
A problematic cross-site scripting (XSS) vulnerability has been identified in chatgpt-web versions 2.11.1–2.11.1. This flaw allows attackers to inject malicious JavaScript code through the Description parameter, potentially compromising user sessions and executing arbitrary code within the user's browser context. The vulnerability has been publicly disclosed and a fix is available in version 2.11.2.
Successful exploitation of CVE-2023-7215 allows an attacker to inject arbitrary JavaScript code into the chatgpt-web application. This can lead to a variety of malicious actions, including session hijacking, stealing sensitive user data (such as API keys or authentication tokens), and defacing the application. The attacker could potentially redirect users to phishing sites or install malware. The impact is primarily limited to the user's browser session, but the consequences can be severe depending on the sensitivity of the data accessed within that session.
This vulnerability has been publicly disclosed and a proof-of-concept may be available. The CVSS score is LOW, indicating that exploitation is likely to require some level of user interaction. The vulnerability is tracked in the VDB as VDB-249779. Active exploitation campaigns are not currently confirmed, but the public disclosure increases the risk of opportunistic attacks.
Users of chatgpt-web version 2.11.1 are at immediate risk. Specifically, those who rely on the Description parameter for user input or content display are particularly vulnerable. Shared hosting environments where multiple users share the same chatgpt-web instance are also at increased risk, as an attacker could potentially compromise the entire instance.
• javascript / web: Inspect network traffic for requests containing JavaScript code in the Description parameter. Look for patterns like <script> tags or onerror event handlers.
// Example: Check for script tags in the Description parameter
if (description.includes('<script>') {
console.warn('Potential XSS vulnerability detected');
}• generic web: Examine access and error logs for unusual activity related to the Description parameter. Look for requests containing suspicious characters or patterns.
# Example: grep for script tags in access logs
grep 'Description=<script>' access.logdisclosure
patch
Statut de l'Exploit
EPSS
0.20% (percentile 42%)
Vecteur CVSS
The primary mitigation for CVE-2023-7215 is to upgrade to version 2.11.2 of chatgpt-web, which contains the fix for this vulnerability. If upgrading immediately is not possible, consider implementing input validation and sanitization on the Description parameter to prevent the injection of malicious code. While not a complete solution, this can reduce the attack surface. Review and update any existing web application firewalls (WAFs) to block requests containing suspicious JavaScript payloads in the Description parameter. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload (e.g., <script>alert('XSS')</script>) through the Description parameter and verifying that it does not execute.
Actualice a una versión posterior a la 2.11.1 que corrija la vulnerabilidad XSS. Consulte el repositorio del proyecto en GitHub para obtener más información sobre la actualización y las versiones corregidas. Como medida temporal, filtre o escape las entradas del usuario en el campo 'Description' para evitar la inyección de código malicioso.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2023-7215 is a cross-site scripting (XSS) vulnerability affecting chatgpt-web versions 2.11.1–2.11.1. It allows attackers to inject malicious JavaScript code via the Description parameter.
If you are using chatgpt-web version 2.11.1, you are potentially affected by this vulnerability. Upgrade to version 2.11.2 to mitigate the risk.
The recommended fix is to upgrade to version 2.11.2 of chatgpt-web. As a temporary workaround, implement input validation and sanitization on the Description parameter.
While active exploitation campaigns are not currently confirmed, the public disclosure increases the risk of opportunistic attacks. It's crucial to apply the patch promptly.
Refer to the chatgpt-web project's official release notes or security advisories for details on the fix and any related information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.