CVE-2024-9612

Name of the Vulnerable Software and Affected Versions danswer-ai/danswer version 0.3.94

Description The issue allows attackers to bypass the visibility restriction set by administrators for the search page. When the search page is set to be invisible, regular users cannot view it or access its functionalities from the front-end interface. However, the back-end does not verify the visibility status of the search page, enabling attackers to directly call the API to access the search page's functionalities.

Recommendations For version 0.3.94, consider restricting access to the API endpoints related to the search page until a patch is available. As a temporary workaround, administrators can also limit the functionality of the search page to minimize the risk of exploitation.