{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-7819", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2024-08-14T19:20:28.465Z", "datePublished": "2025-03-20T10:09:02.046Z", "dateUpdated": "2025-03-20T18:59:15.771Z"}, "containers": {"cna": {"title": "CORS Misconfiguration in danswer-ai/danswer", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2025-03-20T10:09:02.046Z"}, "descriptions": [{"lang": "en", "value": "A CORS misconfiguration in danswer-ai/danswer v1.4.1 allows attackers to steal sensitive information such as chat contents, API keys, and other data. This vulnerability occurs due to improper validation of the origin header, enabling malicious web pages to make unauthorized requests to the application's API."}], "affected": [{"vendor": "danswer-ai", "product": "danswer-ai/danswer", "versions": [{"version": "unspecified", "status": "affected", "versionType": "custom", "lessThanOrEqual": "latest"}]}], "references": [{"url": "https://huntr.com/bounties/06a21857-e13f-4cf4-aa67-de11419a98c0"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "baseScore": 7.4, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-346 Origin Validation Error", "cweId": "CWE-346"}]}], "source": {"advisory": "06a21857-e13f-4cf4-aa67-de11419a98c0", "discovery": "EXTERNAL"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-20T17:51:52.560947Z", "id": "CVE-2024-7819", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-20T18:59:15.771Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-7819", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-20T17:51:52.560947Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-20T17:51:54.221Z"}}], "cna": {"title": "CORS Misconfiguration in danswer-ai/danswer", "source": {"advisory": "06a21857-e13f-4cf4-aa67-de11419a98c0", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "CHANGED", "version": "3.0", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "danswer-ai", "product": "danswer-ai/danswer", "versions": [{"status": "affected", "version": "unspecified", "versionType": "custom", "lessThanOrEqual": "latest"}]}], "references": [{"url": "https://huntr.com/bounties/06a21857-e13f-4cf4-aa67-de11419a98c0"}], "descriptions": [{"lang": "en", "value": "A CORS misconfiguration in danswer-ai/danswer v1.4.1 allows attackers to steal sensitive information such as chat contents, API keys, and other data. This vulnerability occurs due to improper validation of the origin header, enabling malicious web pages to make unauthorized requests to the application's API."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-346", "description": "CWE-346 Origin Validation Error"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2025-03-20T10:09:02.046Z"}}}, "cveMetadata": {"cveId": "CVE-2024-7819", "state": "PUBLISHED", "dateUpdated": "2025-03-20T18:59:15.771Z", "dateReserved": "2024-08-14T19:20:28.465Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2025-03-20T10:09:02.046Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A CORS misconfiguration in danswer-ai/danswer v1.4.1 allows attackers to steal sensitive information such as chat contents, API keys, and other data. This vulnerability occurs due to improper validation of the origin header, enabling malicious web pages to make unauthorized requests to the application's API."}, {"lang": "es", "value": "Una configuraci\u00f3n incorrecta de CORS en danswer-ai/danswer v1.4.1 permite a los atacantes robar informaci\u00f3n confidencial, como el contenido del chat, las claves de API y otros datos. Esta vulnerabilidad se produce debido a una validaci\u00f3n incorrecta del encabezado de origen, lo que permite que p\u00e1ginas web maliciosas realicen solicitudes no autorizadas a la API de la aplicaci\u00f3n."}], "id": "CVE-2024-7819", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 4.0, "source": "security@huntr.dev", "type": "Secondary"}]}, "published": "2025-03-20T10:15:38.017", "references": [{"source": "security@huntr.dev", "url": "https://huntr.com/bounties/06a21857-e13f-4cf4-aa67-de11419a98c0"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-346"}], "source": "security@huntr.dev", "type": "Secondary"}]}

{}

{"created": "2025-07-21T15:17:43.056819+00:00", "updated": "2025-07-21T15:17:43.056909+00:00", "vendors": ["danswer-ai", "danswer-ai$PRODUCT$danswer"]}