CVE-2024-48144

Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

Published: Oct 24, 2024 / Updated: 26d ago

010
CVSS 9.1EPSS 0.04%Critical
CVE info copied to clipboard

Summary

A prompt injection vulnerability exists in the chatbox of Fusion Chat Chat AI Assistant Ask Me Anything v1.2.4.0. This vulnerability allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant by sending a crafted message.

Impact

This vulnerability has a severe impact on the confidentiality and availability of the system. Attackers can gain unauthorized access to sensitive chat data, including both past and future conversations between users and the AI assistant. This can lead to significant privacy breaches and potential exposure of confidential information shared during chat sessions. The attack can be executed remotely over the network without requiring user interaction or special privileges, making it particularly dangerous. The CVSS v3.1 base score for this vulnerability is 9.1 (Critical), with High impact on both Confidentiality and Availability.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

As of the provided information, there is no mention of an available patch for this vulnerability. Users of Fusion Chat Chat AI Assistant Ask Me Anything v1.2.4.0 should be on high alert and check for updates from the vendor.

Mitigation

While a patch is not mentioned, potential mitigation strategies include: 1. Upgrading to a newer version of the software if available. 2. Implementing strong input validation and sanitization to prevent prompt injection attacks. 3. Limiting the chatbox's access to historical chat data. 4. Implementing strict access controls and monitoring for unusual data access patterns. 5. Educating users about the risks of sharing sensitive information through the chat interface. 6. Consider disabling the chatbox feature until a patch is available if the risk is deemed too high.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-48144

Oct 24, 2024 at 7:15 PM
First Article

Feedly found the first article mentioning CVE-2024-48144. See article

Oct 24, 2024 at 7:24 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 24, 2024 at 7:24 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.8%)

Oct 25, 2024 at 10:07 AM
CVSS

A CVSS base score of 9.1 has been assigned.

Oct 28, 2024 at 8:40 PM / nvd
CVSS

A CVSS base score of 9.1 has been assigned.

Oct 28, 2024 at 9:55 PM / nvd
Static CVE Timeline Graph

Affected Systems

Getgist/chatbox
+null more

Attack Patterns

CAPEC-136: LDAP Injection
+null more

News

CVE-2024-48144
High Severity Description A prompt injection vulnerability in the chatbox of Fusion Chat Chat AI Assistant Ask Me Anything v1.2.4.0 allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant via a crafted message. Read more at https://www.tenable.com/cve/CVE-2024-48144
NA - CVE-2024-48144 - A prompt injection vulnerability in the chatbox...
A prompt injection vulnerability in the chatbox of Fusion Chat Chat AI Assistant Ask Me Anything v1.2.4.0 allows attackers to access and exfiltrate all previous and subsequent chat data between the...
CVE-2024-48144 | Fusion Chat Chat AI Assistant Ask Me Anything 1.2.4.0 Chatbox injection
A vulnerability was found in Fusion Chat Chat AI Assistant Ask Me Anything 1.2.4.0 . It has been declared as problematic . Affected by this vulnerability is an unknown functionality of the component Chatbox . The manipulation leads to injection. This vulnerability is known as CVE-2024-48144 . The attack needs to be approached within the local network. There is no exploit available.
CVE-2024-48144
A prompt injection vulnerability in the chatbox of Fusion Chat Chat AI Assistant Ask Me Anything v1.2.4.0 allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant via a crafted...
CVE-2024-48144 - Fusion Chat Chat AI Assistant Prompt Injection Information Disclosure
CVE ID : CVE-2024-48144 Published : Oct. 24, 2024, 7:15 p.m. 22 minutes ago Description : A prompt injection vulnerability in the chatbox of Fusion Chat Chat AI Assistant Ask Me Anything v1.2.4.0 allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant via a crafted message. Severity: 0.0 NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...
See 2 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI