{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-11441", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2024-11-19T16:35:59.585Z", "datePublished": "2025-03-20T10:08:46.700Z", "dateUpdated": "2025-03-20T19:04:15.261Z"}, "containers": {"cna": {"title": "Stored XSS in Serge in serge-chat/serge", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2025-03-20T10:08:46.700Z"}, "descriptions": [{"lang": "en", "value": "A stored cross-site scripting (XSS) vulnerability exists in Serge version 0.9.0. The vulnerability is due to improper neutralization of input during web page generation in the chat prompt. An attacker can exploit this vulnerability by sending a crafted message containing malicious HTML/JavaScript code, which will be stored and executed whenever the chat is accessed, leading to unintended content being shown to the user and potential phishing attacks."}], "affected": [{"vendor": "serge-chat", "product": "serge-chat/serge", "versions": [{"version": "unspecified", "status": "affected", "versionType": "custom", "lessThanOrEqual": "latest"}]}], "references": [{"url": "https://huntr.com/bounties/ae76d1ea-21a4-456d-bef2-331aef3ea376"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79"}]}], "source": {"advisory": "ae76d1ea-21a4-456d-bef2-331aef3ea376", "discovery": "EXTERNAL"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-20T17:52:19.641937Z", "id": "CVE-2024-11441", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-20T19:04:15.261Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-11441", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-20T17:52:19.641937Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-20T17:52:21.287Z"}}], "cna": {"title": "Stored XSS in Serge in serge-chat/serge", "source": {"advisory": "ae76d1ea-21a4-456d-bef2-331aef3ea376", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "CHANGED", "version": "3.0", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "serge-chat", "product": "serge-chat/serge", "versions": [{"status": "affected", "version": "unspecified", "versionType": "custom", "lessThanOrEqual": "latest"}]}], "references": [{"url": "https://huntr.com/bounties/ae76d1ea-21a4-456d-bef2-331aef3ea376"}], "descriptions": [{"lang": "en", "value": "A stored cross-site scripting (XSS) vulnerability exists in Serge version 0.9.0. The vulnerability is due to improper neutralization of input during web page generation in the chat prompt. An attacker can exploit this vulnerability by sending a crafted message containing malicious HTML/JavaScript code, which will be stored and executed whenever the chat is accessed, leading to unintended content being shown to the user and potential phishing attacks."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2025-03-20T10:08:46.700Z"}}}, "cveMetadata": {"cveId": "CVE-2024-11441", "state": "PUBLISHED", "dateUpdated": "2025-03-20T19:04:15.261Z", "dateReserved": "2024-11-19T16:35:59.585Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2025-03-20T10:08:46.700Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A stored cross-site scripting (XSS) vulnerability exists in Serge version 0.9.0. The vulnerability is due to improper neutralization of input during web page generation in the chat prompt. An attacker can exploit this vulnerability by sending a crafted message containing malicious HTML/JavaScript code, which will be stored and executed whenever the chat is accessed, leading to unintended content being shown to the user and potential phishing attacks."}, {"lang": "es", "value": "Existe una vulnerabilidad de Cross-Site Scripting (XSS) almacenado en la versi\u00f3n 0.9.0 de Serge. Esta vulnerabilidad se debe a la neutralizaci\u00f3n incorrecta de la entrada durante la generaci\u00f3n de p\u00e1ginas web en el mensaje de chat. Un atacante puede explotar esta vulnerabilidad enviando un mensaje manipulado con c\u00f3digo HTML/JavaScript malicioso, que se almacenar\u00e1 y ejecutar\u00e1 al acceder al chat, lo que provocar\u00e1 la visualizaci\u00f3n de contenido no deseado al usuario y posibles ataques de phishing."}], "id": "CVE-2024-11441", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@huntr.dev", "type": "Secondary"}]}, "published": "2025-03-20T10:15:25.110", "references": [{"source": "security@huntr.dev", "url": "https://huntr.com/bounties/ae76d1ea-21a4-456d-bef2-331aef3ea376"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@huntr.dev", "type": "Secondary"}]}

{}

{}