CVE-2024-6255

Name of the Vulnerable Software and Affected Versions: gaizhenbiao/chuanhuchatgpt version 20240410

Description: A vulnerability in the JSON file handling allows any user to delete any JSON file on the server, including critical configuration files such as config.json and ds config chatbot.json. This issue arises due to improper validation of file paths, enabling directory traversal attacks. An attacker can exploit this issue to disrupt the functioning of the system, manipulate settings, or potentially cause data loss or corruption.

Recommendations: For gaizhenbiao/chuanhuchatgpt version 20240410, consider restricting access to JSON file handling functionality until a patch is available. As a temporary workaround, restrict the ability to delete files such as config.json and ds config chatbot.json to minimize the risk of exploitation. Avoid using improper file path validation in the JSON file handling mechanism to prevent directory traversal attacks. At the moment, there is no information about a newer version that contains a fix for this issue.