CVE-2024-5711 – A stored Cross-Site Scripting (XSS) vulnerabili... (How to Fix)

Q: What is the severity of CVE-2024-5711?

CVE-2024-5711 has a CVSS score of 6.1 (MEDIUM). A stored Cross-Site Scripting (XSS) vulnerability in the stitionai/devika chat feature allows attackers to inject malicious JavaScript payloads that execute in users' browsers. This affects all versions of the application and can lead to credential theft and data exfiltration from chat logs and projects.

📋 TL;DR

A stored Cross-Site Scripting (XSS) vulnerability in the stitionai/devika chat feature allows attackers to inject malicious JavaScript payloads that execute in users' browsers. This affects all versions of the application and can lead to credential theft and data exfiltration from chat logs and projects.

💻 Affected Systems

Products:

stitionai/devika

Versions: All versions prior to patch

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the chat feature which is a core component of the application.

📦 What is this software?

Devika by Stitionai

View all CVEs affecting Devika →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator credentials, compromise all user accounts, exfiltrate sensitive project data, and establish persistent access to the application.

🟠

Likely Case

Attackers steal user session cookies and credentials, access chat history containing sensitive information, and potentially pivot to other systems.

🟢

If Mitigated

With proper input validation and output encoding, the vulnerability is eliminated and no malicious scripts can execute.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the chat interface but payloads are simple JavaScript injections.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patched in commit 6acce21fb08c3d1123ef05df6a33912bf0ee77c2

Vendor Advisory: https://github.com/stitionai/devika/commit/6acce21fb08c3d1123ef05df6a33912bf0ee77c2

Restart Required: Yes

Instructions:

1. Update to the latest version of stitionai/devika. 2. Apply commit 6acce21fb08c3d1123ef05df6a33912bf0ee77c2. 3. Restart the application server.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to reject or sanitize HTML/JavaScript in chat messages

Implement input sanitization using libraries like DOMPurify or similar XSS prevention libraries

Content Security Policy

all

Implement strict CSP headers to prevent inline script execution

Add header: Content-Security-Policy: script-src 'self'

🧯 If You Can't Patch

Disable the chat feature entirely if not essential
Implement a web application firewall (WAF) with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Test chat input with payload: <script>alert('XSS')</script> and check if script executes

Check Version:

Check git commit hash or application version in deployment configuration

Verify Fix Applied:

Test with same payload after patch - script should not execute and input should be sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual chat messages containing script tags or JavaScript code
Multiple failed login attempts from unexpected locations

Network Indicators:

Outbound connections to suspicious domains from user browsers
Unusual data exfiltration patterns

SIEM Query:

source=application_logs message="*<script>*" OR message="*javascript:*"

📊 Metadata

CVE ID: CVE-2024-5711

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: July 8, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5711, you might also want to check these: