Filtered by vendor Danswer-ai
                         Subscriptions
                    
                    
                
                    Total
                    8 CVE
                
            | CVE | Vendors | Products | Updated | CVSS v3.1 | 
|---|---|---|---|---|
| CVE-2024-9617 | 1 Danswer-ai | 1 Danswer | 2025-10-15 | N/A | 
| An IDOR vulnerability in danswer-ai/danswer v0.3.94 allows an attacker to view any files. The application does not verify whether the attacker is the creator of the file, allowing the attacker to directly call the GET /api/chat/file/{file_id} interface to view any user's file. | ||||
| CVE-2024-8057 | 1 Danswer-ai | 1 Danswer | 2025-10-15 | N/A | 
| In version 0.4.1 of danswer-ai/danswer, a vulnerability exists where a basic user can create credentials and link them to an existing connector. This issue arises because the system allows an unauthenticated attacker to sign up with a basic account and perform actions that should be restricted to admin users. This can lead to excessive resource consumption, potentially resulting in a Denial of Service (DoS) and other significant issues, impacting the system's stability and security. | ||||
| CVE-2024-8028 | 1 Danswer-ai | 1 Danswer | 2025-10-15 | N/A | 
| A vulnerability in danswer-ai/danswer v0.3.94 allows an attacker to cause a Denial of Service (DoS) by uploading a file with a malformed multipart boundary. By appending a large number of characters to the end of the multipart boundary, the server continuously processes each character, rendering the application inaccessible. This issue can be exploited by sending a single crafted request, affecting all users on the server. | ||||
| CVE-2024-7779 | 1 Danswer-ai | 1 Danswer | 2025-10-15 | N/A | 
| A vulnerability in danswer-ai/danswer version 1 allows an attacker to perform a Regular Expression Denial of Service (ReDoS) by manipulating regular expressions. This can significantly slow down the application's response time and potentially render it completely unusable. | ||||
| CVE-2024-7819 | 1 Danswer-ai | 1 Danswer | 2025-07-21 | N/A | 
| A CORS misconfiguration in danswer-ai/danswer v1.4.1 allows attackers to steal sensitive information such as chat contents, API keys, and other data. This vulnerability occurs due to improper validation of the origin header, enabling malicious web pages to make unauthorized requests to the application's API. | ||||
| CVE-2024-7957 | 1 Danswer-ai | 1 Danswer | 2025-07-13 | N/A | 
| An arbitrary file overwrite vulnerability exists in the ZulipConnector of danswer-ai/danswer, affecting the latest version. The vulnerability arises from the load_credentials method, where user-controlled input for realm_name and zuliprc_content is used to construct file paths and write file contents. This allows attackers to overwrite or create arbitrary files if a zuliprc- directory already exists in the temporary directory. | ||||
| CVE-2024-8065 | 1 Danswer-ai | 1 Danswer | 2025-07-13 | N/A | 
| A Cross-Site Request Forgery (CSRF) vulnerability in version v1.4.1 of danswer-ai/danswer allows attackers to perform unauthorized actions in the context of the victim's browser. This includes connecting the victim's application with a malicious Slack Bot, inviting users, and deleting chats, among other actions. The application does not implement any CSRF protection, making it susceptible to these attacks. | ||||
| CVE-2024-32881 | 1 Danswer-ai | 1 Danswer | 2024-11-21 | 9.8 Critical | 
| Danswer is the AI Assistant connected to company's docs, apps, and people. Danswer is vulnerable to unauthorized access to GET/SET of Slack Bot Tokens. Anyone with network access can steal slack bot tokens and set them. This implies full compromise of the customer's slack bot, leading to internal Slack access. This issue was patched in version 3.63. | ||||
                            
                                
                                
                                    Page 1 of 1.
                                
                                
                            
                        
                     ReportizFlow
ReportizFlow