CVE-2024-8026 Information

Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in the backend API of netease-youdao/qanything as of commit d9ab8bc. The backend server has overly permissive CORS headers allowing all cross-origin calls. This vulnerability affects all backend endpoints enabling actions such as creating uploading listing deleting files and managing knowledge bases.

Reference

https://huntr.com/bounties/e57f1e32-0fe5-4997-926c-587461aa6274 https://huntr.com/bounties/e57f1e32-0fe5-4997-926c-587461aa6274