CVE-2024-5334 Scanner

Devika AI is a web application used for web scraping and browser automation.

This vulnerability exists due to improper handling of user input in the snapshot_path parameter. An attacker can exploit this vulnerability to read arbitrary files on the system by crafting a malicious request.

The vulnerability is located in the /api/get-browser-snapshot endpoint of the Devika AI application. The snapshot_path parameter is not properly validated, allowing attackers to specify a path to a file they want to read.

Successful exploitation of this vulnerability could allow an attacker to read sensitive information from the server, such as configuration files or user data. This information could then be used to launch further attacks on the system.

References:

• https://huntr.com/bounties/7eec128b-1bf5-4922-a95c-551ad3695cf6
• https://github.com/stitionai/devika/commit/6acce21fb08c3d1123ef05df6a33912bf0ee77c2
• https://nvd.nist.gov/vuln/detail/CVE-2024-5334