CVE-2024-8143

Name of the Vulnerable Software and Affected Versions: gaizhenbiao/chuanhuchatgpt version 20240628

Description: The issue exists in the "/file" endpoint, allowing authenticated users to access the chat history of other users. When a user logs in, a directory is created in the history folder with the user's name. By manipulating the "/file" endpoint, an authenticated user can enumerate and access files in other users' directories, leading to unauthorized access to private chat histories. This can be exploited to read any user's private chat history.

Recommendations: For version 20240628, as a temporary workaround, consider restricting access to the "/file" endpoint until a patch is available. Additionally, avoid using the "/file" endpoint to access or manipulate user directories until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.