Stored XSS in gpt_academic via file upload (CVE-2024-10101)

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability Description: - Title: Stored XSS via file upload, shareable via in . - Report Date: October 2, 2024. - Reporter: Dan McInerney. - Vulnerability Type: CWE-79: Cross-site Scripting (XSS) - Stored. - Severity: High (8.2). 2. Exploitation: - Exploitation Method: Upload a file named with content . - Exploit Link: . 3. Impact: - Impact Scope: The stored XSS link can be shared by legitimate users and may contain payloads that exfiltrate their session cookies or other sensitive information to an attacker-controlled server. 4. Reference Links: - 5. Report Status: - Status: Pending Fix. - Disclosure Bounty: $300. - Fix Bounty: $75. 6. Discoverer: - Discoverer: Ethan Silvas. - Discoverer ID: @ethansilvas. 7. Community Feedback: - Community Feedback: The report was deemed potentially out of scope or likely to be marked as informational. - Community Suggestion: Provide more detailed information, including a PoC (proof of concept). 8. Verification and Rewards: - Verification: Verified by Marcello. - Reward: Ethan Silvas was awarded the disclosure bounty. 9. CVE ID: - CVE ID: CVE-2024-10101. This information provides a detailed overview of the vulnerability, including its description, exploitation method, impact, discoverer, community feedback, and reward status.

Goal Reached Thanks to every supporter — we hit 100%!

Stored XSS in gpt_academic via file upload (CVE-2024-10101)