漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
NextChat vulnerable to Server-Side Request Forgery and Cross-site Scripting
Vulnerability Description
NextChat, also known as ChatGPT-Next-Web, is a cross-platform chat user interface for use with ChatGPT. Versions 2.11.2 and prior are vulnerable to server-side request forgery and cross-site scripting. This vulnerability enables read access to internal HTTP endpoints but also write access using HTTP POST, PUT, and other methods. Attackers can also use this vulnerability to mask their source IP by forwarding malicious traffic intended for other Internet targets through these open proxies. As of time of publication, no patch is available, but other mitigation strategies are available. Users may avoid exposing the application to the public internet or, if exposing the application to the internet, ensure it is an isolated network with no access to any other internal resources.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Vulnerability Type
服务端请求伪造(SSRF)
Vulnerability Title
NextChat 安全漏洞
Vulnerability Description
NextChat是一个用于快速部署私人 ChatGPT 网页应用的项目。 NextChat 2.11.2及之前版本存在安全漏洞,该漏洞源于存在服务器请求伪造(SSRF)和跨站脚本(XSS)漏洞。攻击者可利用该漏洞对内部HTTP端点进行读取访问等操作。
CVSS Information
N/A
Vulnerability Type
N/A