CVE-2024-5926
CRITICALDescription
A path traversal vulnerability in the get-project-files functionality of stitionai/devika allows attackers to read arbitrary files from the filesystem and cause a Denial of Service (DoS). This issue is present in all versions of the application. The vulnerability arises due to insufficient path sanitization for the 'project-name' parameter, enabling attackers to specify paths that traverse the filesystem. By setting 'project-name' to the root directory, an attacker can cause the application to attempt to read the entire filesystem, leading to a DoS condition.
Is your site exposed to CVE-2024-5926?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| stitionai | devika |
References
Frequently Asked Questions
What is CVE-2024-5926? +
How severe is CVE-2024-5926? +
What products are affected by CVE-2024-5926? +
How do I check if I'm vulnerable to CVE-2024-5926? +
Related Vulnerabilities
DbGate is cross-platform database manager. In versions 6.4.3-premium-beta.5 and below, DbGate is vulnerable to a directory traversal flaw. The file …
DbGate is cross-platform database manager. In versions 6.6.0 and below, DbGate allows unauthorized file access due to insufficient validation of …
A directory traversal vulnerability exists in the zenml-io/zenml repository, specifically within the /api/v1/steps endpoint. Attackers can exploit this vulnerability by …
A path traversal vulnerability in the '/apply_settings' endpoint of parisneo/lollms-webui allows attackers to execute arbitrary code. The vulnerability arises due …
parisneo/lollms-webui is vulnerable to path traversal attacks that can lead to remote code execution due to insufficient sanitization of user-supplied …
A path traversal and arbitrary file upload vulnerability exists in the parisneo/lollms-webui application, specifically within the `@router.get("/switch_personal_path")` endpoint in `./lollms-webui/lollms_core/lollms/server/endpoints/lollms_user.py`. …