CVE-2024-11441 MEDIUM

CVE-2024-11441: Stored XSS in Serge in serge-chat/serge

Vendor Serge-Chat
Product serge-chat/serge
Weakness CWE-79 · XSS
Published March 20, 2025
Last update March 20, 2025
View on NVD All CVEs

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

A stored cross-site scripting (XSS) vulnerability exists in Serge version 0.9.0. The vulnerability is due to improper neutralization of input during web page generation in the chat prompt. An attacker can exploit this vulnerability by sending a crafted message containing malicious HTML/JavaScript code, which will be stored and executed whenever the chat is accessed, leading to unintended content being shown to the user and potential phishing attacks.

Key dates

02Disclosure timeline

March 20, 2025 CVE published
March 20, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-8777 planetcalc <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via language Parameter CVE-2024-37554 WordPress UltraAddons plugin <= 2.0.2 - Cross Site Scripting (XSS) vulnerability CVE-2024-35693 WordPress 12 Step Meeting List plugin <= 3.14.33 - Cross Site Scripting (XSS) vulnerability CVE-2024-1697 Custom WooCommerce Checkout Fields Editor <= 1.3.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting CVE-2025-13784 yungifez Skuul School Management System SVG File edit cross site scripting