Home

Description

gaizhenbiao/chuanhuchatgpt is vulnerable to an unrestricted file upload vulnerability due to insufficient validation of uploaded file types in its `/upload` endpoint. Specifically, the `handle_file_upload` function does not sanitize or validate the file extension or content type of uploaded files, allowing attackers to upload files with arbitrary extensions, including HTML files containing XSS payloads and Python files. This vulnerability, present in the latest version as of 20240310, could lead to stored XSS attacks and potentially result in remote code execution (RCE) on the server hosting the application.

PUBLISHED Reserved 2024-05-23 | Published 2024-06-06 | Updated 2025-10-15 | Assigner @huntr_ai




MEDIUM: 6.5CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Problem types

CWE-434 Unrestricted Upload of File with Dangerous Type

Product status

Any version before 20240919
affected

References

huntr.com/bounties/ea821d86-941b-40f3-a857-91f758848e05

huntr.com/bounties/ea821d86-941b-40f3-a857-91f758848e05

github.com/...ommit/22007a77f037c0cf76180f9b73a8d19e87dad02e

cve.org (CVE-2024-5278)

nvd.nist.gov (CVE-2024-5278)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.