CVE-2024-52294 MEDIUM

CVE-2024-52294: khoj has an IDOR in subscription management that allows unauthorized subscription modifications

Vendor Khoj-Ai
Product khoj
Weakness CWE-639 · IDOR
Published December 30, 2024
Last update December 30, 2024

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Khoj is a self-hostable artificial intelligence app. Prior to version 1.29.10, an Insecure Direct Object Reference (IDOR) vulnerability in the update_subscription endpoint allows any authenticated user to manipulate other users' Stripe subscriptions by simply modifying the email parameter in the request. The vulnerability exists in the subscription endpoint at `/api/subscription`. The endpoint uses an email parameter as a direct reference to user subscriptions without verifying object ownership. While authentication is required, there is no authorization check to verify if the authenticated user owns the referenced subscription. The issue was fixed in version 1.29.10. Support for arbitrarily presenting an email for update has been deprecated.

Key dates

02Disclosure timeline

December 30, 2024 CVE published
December 30, 2024 Record updated

Related vulnerabilities

04Related CVE