CVE-2024-9617
published 2025-03-20CVE-2024-9617: An IDOR vulnerability in danswer-ai/danswer v0.3.94 allows an attacker to view any files. The application does not verify whether the attacker is the creator…
PriorityP345medium6.5CVSS 3.0
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
1.56%
72.1th percentile
An IDOR vulnerability in danswer-ai/danswer v0.3.94 allows an attacker to view any files. The application does not verify whether the attacker is the creator of the file, allowing the attacker to directly call the GET /api/chat/file/{file_id} interface to view any user's file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| danswer-ai | danswer-ai_danswer | unspecified – latest | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Danswer - Insecure Direct Object Reference
nuclei·CVSS 6.5
CVE-2024-9617 [MEDIUM] Danswer - Insecure Direct Object Reference
Danswer - Insecure Direct Object Reference
The application does not verify whether the attacker is the creator of the file, allowing the attacker to directly call the GET /api/chat/file/{file_id} interface to view any user's file.
Template:
id: CVE-2024-9617
info:
name: Danswer - Insecure Direct Object Reference
author: s4e-io
severity: medium
description: |
The application does not verify whether the attacker is the creator of the file, allowing the attacker to directly call the GET /api/chat/file/{file_id} interface to view any user's file.
impact: |
Authenticated attackers can access and view files belonging to other users without proper authorization checks through insecure direct object references, leading to unauthorized disclosure of sensitive chat files and data.
remediation: |
2025-03-20
Published