Medium

danswer

Unauthorized API Access to Search Page Functions

In version v0.3.94 of the software, an issue was discovered where the back-end does not verify the visibility status of the search page, allowing attackers to access its functionalities via API calls. This vulnerability has not yet been patched.

Available publicly on Oct 12 2024

6.5

CVE:

CVE-2024-9612

CWE:

1100:Insufficient Isolation of System-Dependent Functions

CVSS:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Credit:

fewword
AssessDetect

Unavailable

Remediate
Remediation Steps
  • Implement back-end verification of the visibility status of the search page.
  • Ensure that API endpoints respect the visibility settings configured by administrators.
  • Conduct thorough testing to confirm that visibility restrictions are enforced both on the front-end and back-end.
  • Release a patched version of the software addressing this issue.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.