CVE-2024-5547

Name of the Vulnerable Software and Affected Versions stitutionai/devika repository version latest

Description A directory traversal issue exists in the "/api/download-project-pdf" endpoint due to insufficient sanitization of the project name parameter in the download project pdf function. This allows attackers to manipulate the project name parameter in a GET request to traverse the directory structure and download arbitrary PDF files from the system, potentially accessing sensitive information stored in PDF format outside the intended directory.

Recommendations As a temporary workaround, consider disabling the download project pdf function until a patch is available. Restrict access to the "/api/download-project-pdf" endpoint to minimize the risk of exploitation. Avoid using the project name parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.