Multiple vulnerabilities in EmbedAI
Posted date 27/01/2025
Identificador
INCIBE-2025-0047
Importance
4 - High
Affected Resources
- EmbedAI, versions prior to 2.1.
Description
INCIBE has coordinated the publication of 9 vulnerabilities: 5 of high severity and 4 of medium severity, affecting EmbedAI, a tool for the creation of chatbots, which have been discovered by David Utón Amaya (m3n0sd0n4ld).
These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and CWE vulnerability type for each vulnerability:
- CVE-2025-0739: CVSS v3.1: 8.6 | CVSS AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N. | CWE-284
- CVE-2025-0740: CVSS v3.1: 8.6 | CVSS AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N. | CWE-284
- CVE-2025-0741: CVSS v3.1: 5.8 | CVSS AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N. | CWE-284
- CVE-2025-0742: CVSS v3.1: 5.8 | CVSS AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N. | CWE-284
- CVE-2025-0743: CVSS v3.1: 5.3 | CVSS AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. | CWE-284
- CVE-2025-0744: CVSS v3.1: 7.5 | CVSS AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. | CWE-284
- CVE-2025-0745: CVSS v3.1: 7.5 | CVSS AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. | CWE-284
- CVE-2025-0746: CVSS v3.1: 6.1 | CVSS AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. | CWE-79
- CVE-2025-0747: CVSS v3.1: 8.6 | CVSS AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N. | CWE-79
Solution
The vulnerability has been resolved by EmbedAI team in version 2.1.
Detail
- CVE-2025-0739: an Improper Access Control vulnerability has been found in EmbedAI. This vulnerability allows an authenticated attacker to show subscription's information of others users by changing the "SUSCBRIPTION_ID" param of the endpoint "/demos/embedai/subscriptions/show/<SUSCBRIPTION_ID>".
- CVE-2025-0740: an Improper Access Control vulnerability has been found in EmbedAI. This vulnerability allows an authenticated attacker to obtain chat messages belonging to other users by changing the “CHAT_ID” of the endpoint "/embedai/chats/load_messages?chat_id=<CHAT_ID>".
- CVE-2025-0741: an Improper Access Control vulnerability has been found in EmbedAI. This vulnerability allows an authenticated attacker to write messages into other users chat by changing the parameter "chat_id" of the POST request "/embedai/chats/send_message".
- CVE-2025-0742: an Improper Access Control vulnerability has been found in EmbedAI. This vulnerability allows an authenticated attacker to obtain files stored by others users by changing the "FILE_ID" of the endpoint "/embedai/files/show/<FILE_ID>".
- CVE-2025-0743: an Improper Access Control vulnerability has been found in EmbedAI. This vulnerability allows an authenticated attacker to leverage the endpoint "/embedai/visits/show/<VISIT_ID>" to obtain information about the visits made by other users. The information provided by this endpoint includes IP address, userAgent and location of the user that visited the web page.
- CVE-2025-0744: an Improper Access Control vulnerability has been found in EmbedAI. This vulnerability allows an authenticated attacker change his subscription plan without paying by making a POST request changing the parameters of the "/demos/embedai/pmt_cash_on_delivery/pay" endpoint.
- CVE-2025-0745: an Improper Access Control vulnerability has been found in EmbedAI. This vulnerability allows an authenticated attacker to obtain the backups of the database by requesting the "/embedai/app/uploads/database/<SQL_FILE>" endpoint.
- CVE-2025-0746: a Reflected Cross-Site Scripting vulnerability has been found in EmbedAI. This vulnerability allows an authenticated attacker to craft a malicious URL leveraging the"/embedai/users/show/<SCRIPT>" endpoint to inject the malicious JavaScript code. This JavaScript code will be executed when a user opens the malicious URL.
- CVE-2025-0747: a Stored Cross-Site Scripting vulnerability has been found in EmbedAI. This vulnerability allows an authenticated attacker to inject a malicious JavaScript code into a message that will be executed when a user opens the chat.
References list
Etiquetas
