{"id":"CVE-2024-6229","summary":"Stored XSS in stangirard/quivr","details":"A stored cross-site scripting (XSS) vulnerability exists in the 'Upload Knowledge' feature of stangirard/quivr, affecting the latest version. Users can upload files via URL, which allows the insertion of malicious JavaScript payloads. These payloads are stored on the server and executed whenever any user clicks on a link containing the payload, leading to potential data theft, session hijacking, and reputation damage.","modified":"2026-05-28T04:10:17.966267135Z","published":"2024-07-07T15:22:38.743Z","database_specific":{"cna_assigner":"@huntr_ai","cwe_ids":["CWE-79"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/6xxx/CVE-2024-6229.json"},"references":[{"type":"WEB","url":"https://huntr.com/bounties/2ee71e9e-2cf5-41a4-8440-d75758018786"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/6xxx/CVE-2024-6229.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-6229"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/quivrhq/quivr","events":[{"introduced":"0"},{"last_affected":"a09e3c5c1bda0528f9e6d85134a7b3b0dc95ef50"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"0.0.281"}],"source":"CPE_RANGE","cpe":"cpe:2.3:a:quivr:quivr:*:*:*:*:*:*:*:*"}}],"versions":["v0.0.281","core-0.0.8","core-0.0.7","core-0.0.6","core-0.0.5","core-0.0.4","core-0.0.3","core-0.0.2","v0.0.280","v0.0.279","v0.0.278","v0.0.277","v0.0.276","v0.0.275","v0.0.274","v0.0.273","v0.0.272","v0.0.271","v0.0.270","v0.0.267","v0.0.269","v0.0.268","v0.0.266","v0.0.265","v0.0.264","v0.0.263","v0.0.262","v0.0.261","v0.0.260","v0.0.259","v0.0.258","v0.0.257","v0.0.256","v0.0.255","v0.0.254","v0.0.253","v0.0.252","v0.0.251","v0.0.250","v0.0.249","v0.0.248","v0.0.247","v0.0.246","v0.0.245","v0.0.244","v0.0.243","v0.0.242","v0.0.241","v0.0.240","v0.0.239","v0.0.238","v0.0.237","v0.0.236","v0.0.232","v0.0.235","v0.0.234","v0.0.233","v0.0.231","v0.0.230","v0.0.229","v0.0.228","v0.0.227","v0.0.226","v0.0.225","v0.0.224","v0.0.223","v0.0.222","v0.0.221","v0.0.219","v0.0.220","v0.0.218","v0.0.217","v0.0.216","v0.0.215","v0.0.214","v0.0.213","v0.0.212","v0.0.211","v0.0.210","v0.0.209","v0.0.208","v0.0.207","v0.0.206","v0.0.205","v0.0.204","v0.0.203","v0.0.202","v0.0.201","v0.0.200","v0.0.199","v0.0.198","v0.0.197","v0.0.196","v0.0.195","v0.0.194","v0.0.193","v0.0.192","v0.0.191","v0.0.190","v0.0.189","v0.0.188","v0.0.187","v0.0.186","v0.0.185","v0.0.184","v0.0.183","v0.0.182","v0.0.181","v0.0.180","v0.0.179","v0.0.178","v0.0.177","v0.0.176","v0.0.175","v0.0.174","v0.0.173","v0.0.172","v0.0.171","v0.0.170","v0.0.169","v0.0.168","v0.0.167","v0.0.166","v0.0.165","v0.0.164","v0.0.163","v0.0.162","v0.0.161","v0.0.160","v0.0.159","v0.0.158","v0.0.157","v0.0.156","v0.0.155","v0.0.154","v0.0.153","v0.0.152","v0.0.151","v0.0.150","v0.0.149","v0.0.148","v0.0.147","v0.0.146","v0.0.145","v0.0.144","v0.0.143","v0.0.142","v0.0.141","v0.0.140","v0.0.139","v0.0.138","v0.0.137","v0.0.136","v0.0.135","v0.0.134","v0.0.133","v0.0.132","v0.0.131","v0.0.130","v0.0.129","v0.0.128","v0.0.127","v0.0.126","v0.0.125","v0.0.124","v0.0.123","v0.0.122","v0.0.121","v0.0.120","v0.0.119","v0.0.118","v0.0.117","v0.0.116","v0.0.115","v0.0.114","v0.0.113","v0.0.112","v0.0.111","v0.0.110","v0.0.109","v0.0.108","v0.0.107","v0.0.106","v0.0.105","v0.0.104","v0.0.103","v0.0.102","v0.0.101","v0.0.100","v0.0.99","v0.0.98","v0.0.97","v0.0.96","v0.0.95","v0.0.94","v0.0.93","v0.0.92","v0.0.91","v0.0.90","v0.0.89","v0.0.88","v0.0.87","v0.0.86","v0.0.85","v0.0.84","v0.0.83","v0.0.82","v0.0.81","v0.0.80","v0.0.79","v0.0.78","v0.0.77","v0.0.76","v0.0.75","v0.0.74","v0.0.73","v0.0.72","v0.0.71","v0.0.70","v0.0.69","v0.0.68","v0.0.67","v0.0.66","v0.0.65","v0.0.64","v0.0.63","v0.0.62","v0.0.61","v0.0.60","v0.0.59","v0.0.58","v0.0.57","v0.0.56","v0.0.55","v0.0.54","v0.0.53","v0.0.52","v0.0.51","v0.0.50","v0.0.49","v0.0.48","v0.0.47","v0.0.46","v0.0.45","v0.0.44","v0.0.43","v0.0.42","v0.0.41","v0.0.40","v0.0.39","v0.0.38","v0.0.37","v0.0.36","v0.0.35","v0.0.34","v0.0.33","v0.0.32","v0.0.31","v0.0.30","v0.0.29","v0.0.28","v0.0.27","v0.0.26","v0.0.22","v0.0.25","v0.0.24","v0.0.23","v0.0.21","v0.0.20","v0.0.19","v0.0.18","v0.0.17","v0.0.16","v0.0.15","v0.0.14","v0.0.13","v0.0.12","v0.0.11","v0.0.10","v0.0.9","v0.0.8","v0.0.7","v0.0.6","v0.0.5","v0.0.4","v0.0.3","v0.0.2","v0.0.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-6229.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N"}]}