cbcvebase.
CVE-2024-5820
published 2024-06-27

CVE-2024-5820: An unprotected WebSocket connection in the latest version of stitionai/devika (commit ecee79f) allows a malicious website to connect to the backend and issue…

PriorityP350high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.79%
51.6th percentile
An unprotected WebSocket connection in the latest version of stitionai/devika (commit ecee79f) allows a malicious website to connect to the backend and issue commands on behalf of the user. The backend serves all listeners on the given socket, enabling any such malicious website to intercept all communication between the user and the backend. This vulnerability can lead to unauthorized command execution and potential server-side request forgery.

Affected

2 ranges
VendorProductVersion rangeFixed in
stitionaidevika
stitionaistitionai_devikaunspecified – latest

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv3.07.6HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.