CVE-2024-9617

MEDIUM NUCLEI

danswer-ai/danswer v0.3.94 - Info Disclosure

Title source: llm

Description

An IDOR vulnerability in danswer-ai/danswer v0.3.94 allows an attacker to view any files. The application does not verify whether the attacker is the creator of the file, allowing the attacker to directly call the GET /api/chat/file/{file_id} interface to view any user's file.

Nuclei Templates (1)

Danswer - Insecure Direct Object Reference

MEDIUMVERIFIEDby s4e-io

FOFA: icon_hash="484766002"

References (1)

[Exploit, Third Party Advisory] https://huntr.com/bounties/8f683ff6-3a99-41c6-b763-a8f7b73bd146

Scores

CVSS v3 6.5

EPSS 0.1630

EPSS Percentile 94.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-639

Status published

Products (1)

danswer-ai/danswer-ai/danswer unspecified - latest

Published Mar 20, 2025

Tracked Since Feb 18, 2026