CVE-2024-8065: CSRF in danswer-ai/danswer
A Cross-Site Request Forgery (CSRF) vulnerability in version v1.4.1 of danswer-ai/danswer allows attackers to perform unauthorized actions in the context of the victim's browser. This includes connecting the victim's application with a malicious Slack Bot, inviting users, and deleting chats, among other actions. The application does not implement any CSRF protection, making it susceptible to these attacks.
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2024-8065?
CVE-2024-8065 is classified as a Cross-Site Request Forgery (CSRF) vulnerability that can lead to unauthorized actions in the victim's browser.
How do I fix CVE-2024-8065?
To fix CVE-2024-8065, update Danswer AI to the latest version that includes a patch for this vulnerability.
Who is affected by CVE-2024-8065?
CVE-2024-8065 affects users of Danswer AI version v1.4.1.
What kind of attacks can be executed through CVE-2024-8065?
Attackers can use CVE-2024-8065 to connect the victim's application with a malicious Slack Bot, invite users, and perform other unauthorized actions.
Is CVE-2024-8065 easily exploitable?
Yes, CVE-2024-8065 can be exploited easily due to the nature of CSRF vulnerabilities that leverage the victim's session.