CVE-2024-11824

Name of the Vulnerable Software and Affected Versions langgenius/dify versions prior to 0.12.1

Description A stored cross-site scripting (XSS) issue exists in the chat log functionality. This occurs because certain HTML tags, such as <input> and <form>, are not properly restricted, allowing an attacker to inject malicious HTML into the log via prompts. When an administrator views the log containing the malicious HTML, the attacker could potentially steal the administrator's credentials or sensitive information.

Recommendations For versions prior to 0.12.1, update to version 0.12.1 to resolve the issue. As a temporary workaround, consider restricting access to the chat log functionality until the update is applied.