CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-7819: CORS Misconfiguration in danswer-ai/danswer

7.4 CVSS

Description

A CORS misconfiguration in danswer-ai/danswer v1.4.1 allows attackers to steal sensitive information such as chat contents, API keys, and other data. This vulnerability occurs due to improper validation of the origin header, enabling malicious web pages to make unauthorized requests to the application's API.

Classification

CVE ID: CVE-2024-7819

CVSS Base Severity: HIGH

CVSS Base Score: 7.4

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Problem Types

CWE-346 Origin Validation Error

Affected Products

Vendor: danswer-ai

Product: danswer-ai/danswer

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 2.74% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-7819
https://huntr.com/bounties/06a21857-e13f-4cf4-aa67-de11419a98c0

Timeline

2025-03-20 11:40:34 UTC
CVE

CORS Misconfiguration in danswer-ai/danswer