CVE-2024-6229

Name of the Vulnerable Software and Affected Versions: stangirard/quivr version latest

Description: A stored cross-site scripting (XSS) vulnerability exists in the 'Upload Knowledge' feature. Users can upload files via URL, which allows the insertion of malicious JavaScript payloads. These payloads are stored on the server and executed whenever any user clicks on a link containing the payload, leading to potential data theft, session hijacking, and reputation damage.

Recommendations: For the latest version, consider disabling the 'Upload Knowledge' feature until a patch is available to prevent the insertion of malicious JavaScript payloads. Restrict access to the feature to minimize the risk of exploitation. Avoid using the 'Upload Knowledge' feature via URL until the issue is resolved.