CVE-2024-48145

Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

Published: Oct 24, 2024 / Updated: 26d ago

010
CVSS 9.1EPSS 0.04%Critical
CVE info copied to clipboard

Summary

A prompt injection vulnerability exists in the chatbox of Netangular Technologies ChatNet AI Version v1.0. This vulnerability allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant by sending a crafted message.

Impact

The impact of this vulnerability is severe. Attackers can gain unauthorized access to sensitive chat data, including both historical and future conversations between users and the AI assistant. This leads to a significant breach of confidentiality, potentially exposing private information, business secrets, or personal data shared during chat sessions. The vulnerability has a high impact on both confidentiality and availability, as indicated by the CVSS v3.1 score.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

As of the current information, there is no specific mention of an available patch. The affected software is Netangular Technologies ChatNet AI Version v1.0, and security teams should monitor for updates from the vendor.

Mitigation

While awaiting a patch, consider the following mitigation strategies: 1. Limit access to the ChatNet AI system to only trusted users and networks. 2. Implement strong input validation and sanitization for all user inputs in the chatbox. 3. Monitor chat logs for any suspicious activities or data exfiltration attempts. 4. If possible, temporarily disable the chatbox feature until a patch is available. 5. Educate users about the risks of sharing sensitive information through the chat system. 6. Implement additional logging and monitoring to detect potential exploit attempts.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-48145

Oct 24, 2024 at 7:15 PM
First Article

Feedly found the first article mentioning CVE-2024-48145. See article

Oct 24, 2024 at 7:24 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 24, 2024 at 7:24 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.8%)

Oct 25, 2024 at 10:07 AM
CVSS

A CVSS base score of 9.1 has been assigned.

Oct 28, 2024 at 8:40 PM / nvd
CVSS

A CVSS base score of 9.1 has been assigned.

Oct 28, 2024 at 9:55 PM / nvd
Static CVE Timeline Graph

Affected Systems

Getgist/chatbox
+null more

Attack Patterns

CAPEC-136: LDAP Injection
+null more

News

CVE-2024-48145
High Severity Description A prompt injection vulnerability in the chatbox of Netangular Technologies ChatNet AI Version v1.0 allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant via a crafted message. Read more at https://www.tenable.com/cve/CVE-2024-48145
NA - CVE-2024-48145 - A prompt injection vulnerability in the chatbox...
A prompt injection vulnerability in the chatbox of Netangular Technologies ChatNet AI Version v1.0 allows attackers to access and exfiltrate all previous and subsequent chat data between the user...
CVE-2024-48145 | Netangular ChatNet AI 1.0 Chatbox injection
A vulnerability was found in Netangular ChatNet AI 1.0 . It has been rated as problematic . Affected by this issue is some unknown functionality of the component Chatbox . The manipulation leads to injection. This vulnerability is handled as CVE-2024-48145 . The attack can only be done within the local network. There is no exploit available.
CVE-2024-48145
A prompt injection vulnerability in the chatbox of Netangular Technologies ChatNet AI Version v1.0 allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant via a crafted...
CVE-2024-48145 - Netangular Technologies ChatNet Chatbox Prompt Injection Vulnerability
CVE ID : CVE-2024-48145 Published : Oct. 24, 2024, 7:15 p.m. 22 minutes ago Description : A prompt injection vulnerability in the chatbox of Netangular Technologies ChatNet AI Version v1.0 allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant via a crafted message. Severity: 0.0 NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...
See 2 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI