CVE-2024-5278

Name of the Vulnerable Software and Affected Versions gaizhenbiao/chuanhuchatgpt versions prior to 20240310

Description The application is susceptible to unrestricted file uploads because of inadequate validation of file types at the /upload endpoint. The handle file upload function does not properly sanitize or validate the file extension or content type of uploaded files. This allows attackers to upload files with arbitrary extensions, including HTML files containing cross-site scripting (XSS) payloads and Python files. This could lead to stored XSS attacks and potentially remote code execution (RCE) on the server hosting the application.

Recommendations Versions prior to 20240310 should be updated. Ensure proper sanitization and validation of file extensions and content types within the handle file upload function. Restrict the types of files that can be uploaded through the /upload endpoint.