cnvd - cnvd-2025-06186

CNVD-2025-06186

Vulnerability from cnvd - Published: 2025-03-31

Title

ChuanhuChatGPT访问控制错误漏洞

Description

ChuanhuChatGPT是一款应用程序，为ChatGPT等多种LLM提供了一个轻快好用的Web图形界面和众多附加功能。 ChuanhuChatGPT 20240802版本存在访问控制错误漏洞，该漏洞源于会话数据处理不当和缺乏访问控制机制，攻击者可利用此漏洞导致访问和操作其他用户的聊天记录。

Severity

高

Patch Name

ChuanhuChatGPT访问控制错误漏洞的补丁

Patch Description

ChuanhuChatGPT是一款应用程序，为ChatGPT等多种LLM提供了一个轻快好用的Web图形界面和众多附加功能。 ChuanhuChatGPT 20240802版本存在访问控制错误漏洞，该漏洞源于会话数据处理不当和缺乏访问控制机制，攻击者可利用此漏洞导致访问和操作其他用户的聊天记录。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/gaizhenbiao/chuanhuchatgpt/commit/526c615c437377ee9c71f866fd0f19011910f705

Reference

https://github.com/gaizhenbiao/chuanhuchatgpt/commit/526c615c437377ee9c71f866fd0f19011910f705

Impacted products

Name
ChuanhuChatGPT ChuanhuChatGPT 20240802

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-8613",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-8613"
    }
  },
  "description": "ChuanhuChatGPT\u662f\u4e00\u6b3e\u5e94\u7528\u7a0b\u5e8f\uff0c\u4e3aChatGPT\u7b49\u591a\u79cdLLM\u63d0\u4f9b\u4e86\u4e00\u4e2a\u8f7b\u5feb\u597d\u7528\u7684Web\u56fe\u5f62\u754c\u9762\u548c\u4f17\u591a\u9644\u52a0\u529f\u80fd\u3002\n\nChuanhuChatGPT 20240802\u7248\u672c\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4f1a\u8bdd\u6570\u636e\u5904\u7406\u4e0d\u5f53\u548c\u7f3a\u4e4f\u8bbf\u95ee\u63a7\u5236\u673a\u5236\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u5bfc\u81f4\u8bbf\u95ee\u548c\u64cd\u4f5c\u5176\u4ed6\u7528\u6237\u7684\u804a\u5929\u8bb0\u5f55\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/gaizhenbiao/chuanhuchatgpt/commit/526c615c437377ee9c71f866fd0f19011910f705",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-06186",
  "openTime": "2025-03-31",
  "patchDescription": "ChuanhuChatGPT\u662f\u4e00\u6b3e\u5e94\u7528\u7a0b\u5e8f\uff0c\u4e3aChatGPT\u7b49\u591a\u79cdLLM\u63d0\u4f9b\u4e86\u4e00\u4e2a\u8f7b\u5feb\u597d\u7528\u7684Web\u56fe\u5f62\u754c\u9762\u548c\u4f17\u591a\u9644\u52a0\u529f\u80fd\u3002\r\n\r\nChuanhuChatGPT 20240802\u7248\u672c\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4f1a\u8bdd\u6570\u636e\u5904\u7406\u4e0d\u5f53\u548c\u7f3a\u4e4f\u8bbf\u95ee\u63a7\u5236\u673a\u5236\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u5bfc\u81f4\u8bbf\u95ee\u548c\u64cd\u4f5c\u5176\u4ed6\u7528\u6237\u7684\u804a\u5929\u8bb0\u5f55\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "ChuanhuChatGPT\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "ChuanhuChatGPT ChuanhuChatGPT 20240802"
  },
  "referenceLink": "https://github.com/gaizhenbiao/chuanhuchatgpt/commit/526c615c437377ee9c71f866fd0f19011910f705",
  "serverity": "\u9ad8",
  "submitTime": "2025-03-27",
  "title": "ChuanhuChatGPT\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e"
}

CVE-2024-8613 (GCVE-0-2024-8613)

Vulnerability from cvelistv5 – Published: 2025-03-20 10:11 – Updated: 2025-10-15 12:49

Summary

A vulnerability in gaizhenbiao/chuanhuchatgpt version 20240802 allows attackers to access, copy, and delete other users' chat histories. This issue arises due to improper handling of session data and lack of access control mechanisms, enabling attackers to view and manipulate chat histories of other users.

Severity ?

8.1 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-639 - Authorization Bypass Through User-Controlled Key

Assigner

@huntr_ai

References

URL

Tags

	https://huntr.com/bounties/76258774-b011-4044-9c3…
	https://github.com/gaizhenbiao/chuanhuchatgpt/com…

Impacted products

	Vendor	Product	Version
	gaizhenbiao	gaizhenbiao/chuanhuchatgpt	Affected: unspecified , < 20240918 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-8613",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-20T17:46:27.450468Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-20T18:02:03.082Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "gaizhenbiao/chuanhuchatgpt",
          "vendor": "gaizhenbiao",
          "versions": [
            {
              "lessThan": "20240918",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in gaizhenbiao/chuanhuchatgpt version 20240802 allows attackers to access, copy, and delete other users\u0027 chat histories. This issue arises due to improper handling of session data and lack of access control mechanisms, enabling attackers to view and manipulate chat histories of other users."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-15T12:49:57.004Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntr_ai"
      },
      "references": [
        {
          "url": "https://huntr.com/bounties/76258774-b011-4044-9c3d-c2609b1cbd29"
        },
        {
          "url": "https://github.com/gaizhenbiao/chuanhuchatgpt/commit/526c615c437377ee9c71f866fd0f19011910f705"
        }
      ],
      "source": {
        "advisory": "76258774-b011-4044-9c3d-c2609b1cbd29",
        "discovery": "EXTERNAL"
      },
      "title": "Improper Access Control in gaizhenbiao/chuanhuchatgpt"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntr_ai",
    "cveId": "CVE-2024-8613",
    "datePublished": "2025-03-20T10:11:38.821Z",
    "dateReserved": "2024-09-09T16:33:56.034Z",
    "dateUpdated": "2025-10-15T12:49:57.004Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2025-06186

CVE-2024-8613 (GCVE-0-2024-8613)

Tags

Sightings

Nomenclature