CVE-2024-8027 MEDIUM

CVE-2024-8027: Stored Cross-Site Scripting (XSS) in netease-youdao/QAnything

Vendor Netease-Youdao

Product netease-youdao/qanything

Weakness CWE-79 · XSS

Published March 20, 2025

Last update March 20, 2025

View on NVD All CVEs

CVSS base score

6.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

A stored Cross-Site Scripting (XSS) vulnerability exists in netease-youdao/QAnything. Attackers can upload malicious knowledge files to the knowledge base, which can trigger XSS attacks during user chats. This vulnerability affects all versions prior to the fix.

Key dates

02Disclosure timeline

March 20, 2025 CVE published

March 20, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-8027

Related vulnerabilities

04Related CVE

CVE-2024-10184 SW Kick Integration - Blocks and Shortcodes for Embedding Kick Streams <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via sw-kick-embed Shortcode CVE-2026-27568 AVideo has Stored Cross-Site Scripting via Markdown Comment Injection CVE-2024-0283 Kashipara Food Management System party_details.php cross site scripting CVE-2023-31928 XSS vulnerability in Brocade Webtools CVE-2025-26584 WordPress TBTestimonials Plugin <= 1.7.3 - Reflected Cross Site Scripting (XSS) vulnerability

Identifiers

CVE CVE-2024-8027

CWE CWE-79

CVSS 6.1 / MEDIUM

Affected versions

Vendor Netease-Youdao

Product netease-youdao/qanything

Affected ≥ unspecified and ≤ latest