Arajgor

**Name of the Vulnerable Software and Affected Versions** stitionai/devika repository (affected versions not specified) **Description** The issue is caused by a CORS misconfiguration, which allows attackers to steal sensitive information such as logs, browser sessions, and settings containing private API keys from other services. Attackers can also perform actions on behalf of the user, including deleting projects or sending messages, due to the lack of proper origin validation. This enables unauthorized cross-origin requests to be executed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: stitutionai/devika (affected versions not specified) Description: A stored Cross-Site Scripting (XSS) vulnerability exists in the stitionai/devika chat feature, allowing attackers to inject malicious payloads into the chat input. This issue is due to the lack of input validation and sanitization on both the frontend and backend components of the application. The application fails to sanitize user input in the chat feature, leading to the execution of arbitrary JavaScript code in the context of the user's browser session. The impact of this vulnerability includes the potential for stolen credentials, extraction of sensitive information from chat logs, projects, and other data accessible through the application. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** stitutionai/devika version latest **Description** A local file read issue exists due to improper handling of the `snapshot path` parameter in the "/api/get-browser-snapshot" endpoint. An attacker can exploit this by crafting a request with a malicious `snapshot path` parameter, leading to arbitrary file read from the system. This issue impacts the security of the application by allowing unauthorized access to sensitive files on the server. **Recommendations** As a temporary workaround, consider disabling the "/api/get-browser-snapshot" endpoint until a patch is available. Restrict access to the `snapshot path` parameter in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** stitutionai/devika repository version latest **Description** A directory traversal issue exists in the "/api/download-project-pdf" endpoint due to insufficient sanitization of the `project name` parameter in the `download project pdf` function. This allows attackers to manipulate the `project name` parameter in a GET request to traverse the directory structure and download arbitrary PDF files from the system, potentially accessing sensitive information stored in PDF format outside the intended directory. **Recommendations** As a temporary workaround, consider disabling the `download project pdf` function until a patch is available. Restrict access to the "/api/download-project-pdf" endpoint to minimize the risk of exploitation. Avoid using the `project name` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** stitutionai/devika repository (affected versions not specified) **Description** A directory traversal issue exists, specifically within the "/api/download-project" endpoint. Attackers can exploit this by manipulating the `project name` parameter in a GET request to download arbitrary files from the system. The issue arises due to insufficient input validation in the `download project` function, allowing attackers to traverse the directory structure and access files outside the intended directory. This could lead to unauthorized access to sensitive files on the server. **Recommendations** As a temporary workaround, consider disabling the `download project` function until a patch is available. Restrict access to the "/api/download-project" endpoint to minimize the risk of exploitation. Avoid using the `project name` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.