CVE-2024-11824: Stored XSS in langgenius/dify
First published: Thu Mar 20 2025(Updated: )
A stored cross-site scripting (XSS) vulnerability exists in langgenius/dify version latest, specifically in the chat log functionality. The vulnerability arises because certain HTML tags like <input> and <form> are not disallowed, allowing an attacker to inject malicious HTML into the log via prompts. When an admin views the log containing the malicious HTML, the attacker could steal the admin's credentials or sensitive information. This issue is fixed in version 0.12.1.
Credit: security@huntr.dev
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Dify | <0.12.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-11824?
CVE-2024-11824 is classified as a moderate severity stored cross-site scripting (XSS) vulnerability.
How do I fix CVE-2024-11824?
To fix CVE-2024-11824, update langgenius/dify to at least version 0.12.1 where the vulnerability has been addressed.
What software is affected by CVE-2024-11824?
CVE-2024-11824 affects langgenius/dify versions up to 0.12.1.
What type of vulnerability is CVE-2024-11824?
CVE-2024-11824 is a stored cross-site scripting (XSS) vulnerability in the chat log functionality.
What can attackers achieve with CVE-2024-11824?
Attackers can inject malicious HTML into the chat log, potentially leading to unauthorized actions or data exposure for users.
- agent/references
- agent/title
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/description
- collector/nvd-api
- source/NVD
- agent/author
- agent/severity
- agent/source
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/langgenius
- canonical/dify