CVE-2024-7790 – A stored cross-site scripting (XSS) vulnerabili... (How to Fix)

📋 TL;DR

A stored cross-site scripting (XSS) vulnerability exists in DevikaAI software where improperly decoded user input allows attackers to inject malicious scripts. These scripts execute in victims' browsers when viewing compromised content, potentially stealing session cookies or performing actions as the user. All users running DevikaAI from commit 6acce21fb08c3d1123ef05df6a33912bf0ee77c2 onwards are affected.

💻 Affected Systems

Products:

DevikaAI

Versions: From commit 6acce21fb08c3d1123ef05df6a33912bf0ee77c2 onwards

Operating Systems: All platforms running DevikaAI

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using vulnerable commits are affected regardless of configuration.

📦 What is this software?

Devika by Stitionai

View all CVEs affecting Devika →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full system access, install backdoors, exfiltrate sensitive data, or pivot to internal networks.

🟠

Likely Case

Attackers steal user session cookies to hijack accounts, deface content, or redirect users to malicious sites.

🟢

If Mitigated

Script execution is blocked by browser security features or content security policies, limiting impact to minor UI disruption.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Stored XSS typically requires some level of access to input fields, but exploitation is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Check DevikaAI repository for security updates
2. Update to a version after the fix commit
3. Review and sanitize all user input handling code

🔧 Temporary Workarounds

Input Sanitization

all

Implement proper input validation and output encoding for all user-controlled data

Content Security Policy

all

Implement strict CSP headers to block inline script execution

Content-Security-Policy: default-src 'self'; script-src 'self'

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block XSS payloads
Disable user input features or restrict to trusted users only

🔍 How to Verify

Check if Vulnerable:

Check DevikaAI commit hash against vulnerable range starting from 6acce21fb08c3d1123ef05df6a33912bf0ee77c2

Check Version:

git log --oneline -1

Verify Fix Applied:

Test user input fields with XSS payloads like <script>alert('test')</script> and verify they are properly sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual script tags in user input logs
Multiple failed login attempts followed by script injection

Network Indicators:

Outbound connections to suspicious domains from DevikaAI server
Unusual JavaScript in HTTP responses

SIEM Query:

source="devika_logs" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2024-7790

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-79

Published: August 14, 2024

Last Updated: March 25, 2025

🔗 References

https://www.tenable.com/security/research/tra-2024-31 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7790, you might also want to check these: