CVE-2024-48140

Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

Published: Oct 24, 2024 / Updated: 26d ago

010
CVSS 7.5EPSS 0.04%High
CVE info copied to clipboard

Summary

A prompt injection vulnerability in the chatbox of Butterfly Effect Limited Monica Your AI Copilot powered by ChatGPT4 v6.3.0 allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant via a crafted message.

Impact

This vulnerability could lead to unauthorized access to and exfiltration of sensitive user data. Attackers could potentially obtain all chat history and ongoing conversations between users and the AI assistant, compromising user privacy and potentially exposing confidential information shared during interactions.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

As of the vulnerability publication date (October 24, 2024), there is no specific information provided about an available patch.

Mitigation

While no specific mitigation steps are provided in the vulnerability data, general recommendations may include: 1. Updating the Monica Your AI Copilot to the latest version if a patch becomes available. 2. Implementing stronger input validation and sanitization in the chatbox to prevent prompt injection attacks. 3. Limiting the access of the AI assistant to historical chat data. 4. Implementing additional authentication and authorization checks for accessing chat history. 5. Monitoring for unusual data access or exfiltration patterns. Users should be cautious about sharing sensitive information through the chatbox until a fix is confirmed.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Timeline

CVE Assignment

NVD published the first details for CVE-2024-48140

Oct 24, 2024 at 7:15 PM
First Article

Feedly found the first article mentioning CVE-2024-48140. See article

Oct 24, 2024 at 7:24 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 24, 2024 at 7:24 PM
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 24, 2024 at 7:40 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.8%)

Oct 25, 2024 at 10:07 AM
CVSS

A CVSS base score of 7.5 has been assigned.

Oct 25, 2024 at 7:40 PM / nvd
Static CVE Timeline Graph

Affected Systems

Getgist/chatbox
+null more

Attack Patterns

CAPEC-136: LDAP Injection
+null more

News

CVE-2024-48140
High Severity Description A prompt injection vulnerability in the chatbox of Butterfly Effect Limited Monica Your AI Copilot powered by ChatGPT4 v6.3.0 allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant via a crafted message. Read more at https://www.tenable.com/cve/CVE-2024-48140
NA - CVE-2024-48140 - A prompt injection vulnerability in the chatbox...
A prompt injection vulnerability in the chatbox of Butterfly Effect Limited Monica Your AI Copilot powered by ChatGPT4 v6.3.0 allows attackers to access and exfiltrate all previous and subsequent...
CVE-2024-48140 | Butterfly Effect Limited Monica Your AI Copilot 6.3.0 Chatbox injection
A vulnerability classified as critical has been found in Butterfly Effect Limited Monica Your AI Copilot 6.3.0 . Affected is an unknown function of the component Chatbox . The manipulation leads to injection. This vulnerability is traded as CVE-2024-48140 . The attack needs to be approached within the local network. There is no exploit available.
CVE-2024-48140
A prompt injection vulnerability in the chatbox of Butterfly Effect Limited Monica Your AI Copilot powered by ChatGPT4 v6.3.0 allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant via a crafted...
CVE-2024-48140 - Butterfly Effect Limited Monica Your AI Copilot Chatbox Prompt Injection
CVE ID : CVE-2024-48140 Published : Oct. 24, 2024, 7:15 p.m. 22 minutes ago Description : A prompt injection vulnerability in the chatbox of Butterfly Effect Limited Monica Your AI Copilot powered by ChatGPT4 v6.3.0 allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant via a crafted message. Severity: 0.0 NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...
See 2 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI