CVE-2024-10819
Published: 20 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2024-10819 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting version 3.83 of binary-husky/gpt_academic. The flaw allows an attacker to trick an authenticated user into uploading files without their consent by exploiting the user's active session. This enables unauthorized file uploads that can contain malicious scripts, leading to stored Cross-Site Scripting (XSS) attacks and potential system compromise.
The vulnerability can be exploited by any network-based attacker (AV:N) with no required privileges (PR:N), though it requires user interaction (UI:R) such as clicking a malicious link. Successful attacks result in unauthorized file uploads, stored XSS payloads that steal victim information, and the ability to perform arbitrary actions on the victim's behalf within the application context. The CVSS v3.1 base score is 8.8 (AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.
Mitigation details are available in the advisory published on Huntr at https://huntr.com/bounties/45270c4b-a500-4374-a90b-37b604a3ace0. The CVE was published on 2025-03-20T10:15:20.010.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CSRF vulnerability in the public-facing gpt_academic web application directly enables exploitation via T1190. The resulting unauthorized upload of malicious scripts facilitates stored XSS, allowing arbitrary JavaScript execution in the victim's browser context (T1059.007).