CVE-2024-11824

HIGH

langgenius/dify < 0.12.1 - Stored Cross-Site Scripting in Chat Log via HTML Tag Injection

Title source: llm
STIX 2.1

Description

A stored cross-site scripting (XSS) vulnerability exists in langgenius/dify version latest, specifically in the chat log functionality. The vulnerability arises because certain HTML tags like <input> and <form> are not disallowed, allowing an attacker to inject malicious HTML into the log via prompts. When an admin views the log containing the malicious HTML, the attacker could steal the admin's credentials or sensitive information. This issue is fixed in version 0.12.1.

Scores

CVSS v3 7.6
EPSS 0.0043
EPSS Percentile 34.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
langgenius/dify < 0.12.1
Published Mar 20, 2025
Tracked Since Feb 18, 2026