Home > Vulnerability Database > CVE-2024-11850

Mend.io Vulnerability Database

CVE-2024-11850

Date: March 20, 2025

A stored cross-site scripting (XSS) vulnerability exists in the latest version of langgenius/dify. The vulnerability is due to improper validation and sanitization of user input in SVG markdown support within the chatbot feature. An attacker can exploit this vulnerability by injecting malicious SVG content, which can execute arbitrary JavaScript code when viewed by an admin, potentially leading to credential theft.

Severity Score

6.8

Related Resources (3)

Url: https://huntr.com/bounties/893da115-028d-4718-b586-a2b77897a470

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-11850

Url: https://www.mend.io/vulnerability-database/CVE-2024-11850

Severity Score

6.8

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

CVSS v3.1

Base Score:	6.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-11850

Date: March 20, 2025

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?