{"data":{"id":"e1d3197d-1168-426f-afc1-a3a531c02789","title":"CVE-2023-49785: NextChat, also known as ChatGPT-Next-Web, is a cross-platform chat user interface for use with ChatGPT. Versions 2.11.2 ","summary":"NextChat (also called ChatGPT-Next-Web) version 2.11.2 and earlier has two security flaws: SSRF (server-side request forgery, where attackers trick the server into making unwanted requests) and XSS (cross-site scripting, where attackers inject malicious code into web pages). These flaws let attackers read internal server data, make changes to it, hide their location by routing traffic through the app, or attack other targets on the internet.","solution":"According to the source: \"Users may avoid exposing the application to the public internet or, if exposing the application to the internet, ensure it is an isolated network with no access to any other internal resources.\" The source also notes that as of publication, no patch is available.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2023-49785","publishedAt":"2024-03-12T04:15:26.383Z","cveId":"CVE-2023-49785","cweIds":["CWE-79","CWE-918","CWE-79","CWE-918"],"cvssScore":"9.1","cvssSeverity":"critical","severity":"critical","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["OpenAI"],"affectedVendorsRaw":["OpenAI","ChatGPT","NextChat","ChatGPT-Next-Web"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.92643,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-198","CAPEC-664","CAPEC-86"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"api","llmSpecific":true,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}