CVE-2024-5184

MEDIUM

EmailGPT - Prompt Injection via API Service

Title source: llm

Description

The EmailGPT service contains a prompt injection vulnerability. The service uses an API service that allows a malicious user to inject a direct prompt and take over the service logic. Attackers can exploit the issue by forcing the AI service to leak the standard hard-coded system prompts and/or execute unwanted prompts. When engaging with EmailGPT by submitting a malicious prompt that requests harmful information, the system will respond by providing the requested data. This vulnerability can be exploited by any individual with access to the service.

References (1)

Core 1

Core References

Third Party Advisory

https://www.synopsys.com/blogs/software-security/cyrc-advisory-prompt-injection-emailgpt.html

Scores

CVSS v3 6.5

EPSS 0.0054

EPSS Percentile 41.4%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-74

Status published

Products (1)

emailgpt/emailgpt

Published Jun 05, 2024

Tracked Since Feb 18, 2026