Zn9988

**Name of the Vulnerable Software and Affected Versions** DIFY versions prior to 1.3.0 **Description** A clickjacking issue was found in the default setup of the DIFY application, allowing malicious actors to trick users into clicking on elements of the web page without their knowledge or consent. This can lead to unauthorized actions being performed, potentially compromising the security and privacy of users. **Recommendations** For versions prior to 1.3.0, update to version 1.3.0 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Dify versions prior to 0.6.12 **Description** The issue concerns an access control flaw in Dify, an open-source LLM app development platform. This flaw allows non-admin users to make unauthorized access and changes to APPs, despite the web UI of APP orchestration not being presented to normal users. **Recommendations** For versions prior to 0.6.12, update to version 0.6.12 to resolve the issue. As a temporary workaround, consider updating the access control mechanisms to enforce stricter user role permissions and implementing role-based access controls (RBAC) to ensure that only users with admin privileges can access Orchestration of the APPs.

**Name of the Vulnerable Software and Affected Versions** Dify versions 0.6.8 and prior **Description** A vulnerability was identified in the DIFY AI where normal users are improperly granted permissions to export APP DSL. The feature in "/export" should only allow administrator users to export DSL. **Recommendations** For versions 0.6.8 and prior, update the access control mechanisms to enforce stricter user role permissions and implement role-based access controls (RBAC) to ensure that only users with admin privileges can export the APP DSL. Update to version 0.6.13 to fix the vulnerability.

**Name of the Vulnerable Software and Affected Versions** Dify versions prior to 0.6.12 **Description** A security issue was identified in Dify, an open-source LLM app development platform, where normal users are improperly granted permissions to edit app names, descriptions, and icons. This access control flaw allows non-admin users to modify app details, posing a security risk to the integrity of the application. **Recommendations** For versions prior to 0.6.12, update to version 0.6.12 to resolve the issue. As a temporary workaround, consider updating the access control mechanisms to enforce stricter user role permissions and implementing role-based access controls (RBAC) to ensure that only users with admin privileges can modify app details.

**Name of the Vulnerable Software and Affected Versions** Dify versions prior to 0.6.12 **Description** A vulnerability was identified in Dify, an open-source LLM app development platform, where normal users can enable or disable apps through the API, despite not being permitted to make such changes. This access control flaw allows non-admin users to make unauthorized changes, disrupting the functionality and availability of the apps. **Recommendations** For versions prior to 0.6.12, update to version 0.6.12 to resolve the issue. As a temporary workaround, consider updating the API access control mechanisms to enforce stricter user role permissions and implementing role-based access controls (RBAC) to ensure that only users with admin privileges can send enable or disable requests for apps.

**Name of the Vulnerable Software and Affected Versions** Ghost versions 4.0.0 through 4.9.4 **Description** An error in the implementation of the limits service allows all authenticated users, including contributors, to view admin-level API keys via the "integrations API endpoint", leading to a privilege escalation issue. This allows unauthorized access to sensitive information. It is highly recommended to regenerate all API keys after patching or applying the workaround. **Recommendations** For Ghost versions 4.0.0 through 4.9.4, upgrade to version 4.10.0 as soon as possible. As a temporary workaround, consider disabling all non-Administrator accounts to prevent API access. After patching or applying the workaround, regenerate all API keys to ensure security.