CVE-2024-11850 MEDIUM

CVE-2024-11850: Stored XSS in langgenius/dify

Vendor Langgenius
Product langgenius/dify
Weakness CWE-79 · XSS
Published March 20, 2025
Last update March 20, 2025

CVSS base score

6.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

A stored cross-site scripting (XSS) vulnerability exists in the latest version of langgenius/dify. The vulnerability is due to improper validation and sanitization of user input in SVG markdown support within the chatbot feature. An attacker can exploit this vulnerability by injecting malicious SVG content, which can execute arbitrary JavaScript code when viewed by an admin, potentially leading to credential theft.

Key dates

02Disclosure timeline

March 20, 2025 CVE published
March 20, 2025 Record updated