gaizhenbiao/chuanhuchatgpt is vulnerable to improper...
High severity
Unreviewed
Published
Apr 10, 2024
to the GitHub Advisory Database
•
Updated Apr 10, 2024
Description
Published by the National Vulnerability Database
Apr 10, 2024
Published to the GitHub Advisory Database
Apr 10, 2024
Last updated
Apr 10, 2024
gaizhenbiao/chuanhuchatgpt is vulnerable to improper access control, allowing unauthorized access to the
config.json
file. This vulnerability is present in both authenticated and unauthenticated versions of the application, enabling attackers to obtain sensitive information such as API keys (openai_api_key
,google_palm_api_key
,xmchat_api_key
, etc.), configuration details, and user credentials. The issue stems from the application's handling of HTTP requests for theconfig.json
file, which does not properly restrict access based on user authentication.References