CVE-2024-5185 HIGH

CVE-2024-5185: Data Poisoning in EmbedAI

Vendor Samuraigpt
Product EmbedAI
Weakness CWE-352 · CSRF
Published May 29, 2024
Last update September 3, 2024
View on NVD All CVEs

CVSS base score

8.3/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H

What the vulnerability does

01Description

The EmbedAI application is susceptible to security issues that enable Data Poisoning attacks. This weakness could result in the application becoming compromised, leading to unauthorized entries or data poisoning attacks, which are delivered by a CSRF vulnerability due to the absence of a secure session management implementation and weak CORS policies weakness. An attacker can direct a user to a malicious webpage that exploits a CSRF vulnerability within the EmbedAI application. By leveraging this CSRF vulnerability, the attacker can deceive the user into inadvertently uploading and integrating incorrect data into the application’s language model.

Key dates

02Disclosure timeline

May 29, 2024 CVE published
September 3, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-54400 WordPress AppMaps plugin <= 1.1 - CSRF to Stored XSS vulnerability CVE-2025-4887 SourceCodester Online Student Clearance System cross-site request forgery CVE-2018-25336 jCart for OpenCart 2.3.0.2 Cross-Site Request Forgery CVE-2023-22686 WordPress Nice PayPal Button Lite Plugin <= 1.3.5 is vulnerable to Cross Site Request Forgery (CSRF) CVE-2025-7687 Latest Post Accordian Slider <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting