Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities by quivr
CVE-2024-6583 (GCVE-0-2024-6583)
Vulnerability from cvelistv5 – Published: 2025-03-20 10:10 – Updated: 2025-03-20 18:22
VLAI
Title
Path Traversal in stangirard/quivr
Summary
A path traversal vulnerability exists in the latest version of stangirard/quivr. This vulnerability allows an attacker to upload files to arbitrary paths in an S3 bucket by manipulating the file path in the upload request.
Severity
4.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| stangirard | stangirard/quivr |
Affected:
unspecified , ≤ latest
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6583",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-20T17:48:52.798616Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T18:22:17.747Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "stangirard/quivr",
"vendor": "stangirard",
"versions": [
{
"lessThanOrEqual": "latest",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A path traversal vulnerability exists in the latest version of stangirard/quivr. This vulnerability allows an attacker to upload files to arbitrary paths in an S3 bucket by manipulating the file path in the upload request."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T10:10:23.071Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/c310b500-ec26-4121-8d3a-8e863181346f"
}
],
"source": {
"advisory": "c310b500-ec26-4121-8d3a-8e863181346f",
"discovery": "EXTERNAL"
},
"title": "Path Traversal in stangirard/quivr"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-6583",
"datePublished": "2025-03-20T10:10:23.071Z",
"dateReserved": "2024-07-08T20:55:27.506Z",
"dateUpdated": "2025-03-20T18:22:17.747Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6229 (GCVE-0-2024-6229)
Vulnerability from cvelistv5 – Published: 2024-07-07 15:22 – Updated: 2024-08-01 21:33
VLAI
Title
Stored XSS in stangirard/quivr
Summary
A stored cross-site scripting (XSS) vulnerability exists in the 'Upload Knowledge' feature of stangirard/quivr, affecting the latest version. Users can upload files via URL, which allows the insertion of malicious JavaScript payloads. These payloads are stored on the server and executed whenever any user clicks on a link containing the payload, leading to potential data theft, session hijacking, and reputation damage.
Severity
6.8 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| stangirard | stangirard/quivr |
Affected:
unspecified , ≤ latest
(custom)
|
|
| stangirard | quivr |
Affected:
0.0.259 , ≤ *
(custom)
cpe:2.3:a:stangirard:quivr:0.0.259:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:stangirard:quivr:0.0.259:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "quivr",
"vendor": "stangirard",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0.0.259",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6229",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-07T19:13:05.804340Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-07T19:15:38.350Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:33:05.163Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.com/bounties/2ee71e9e-2cf5-41a4-8440-d75758018786"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "stangirard/quivr",
"vendor": "stangirard",
"versions": [
{
"lessThanOrEqual": "latest",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability exists in the \u0027Upload Knowledge\u0027 feature of stangirard/quivr, affecting the latest version. Users can upload files via URL, which allows the insertion of malicious JavaScript payloads. These payloads are stored on the server and executed whenever any user clicks on a link containing the payload, leading to potential data theft, session hijacking, and reputation damage."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-07T15:22:38.743Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/2ee71e9e-2cf5-41a4-8440-d75758018786"
}
],
"source": {
"advisory": "2ee71e9e-2cf5-41a4-8440-d75758018786",
"discovery": "EXTERNAL"
},
"title": "Stored XSS in stangirard/quivr"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-6229",
"datePublished": "2024-07-07T15:22:38.743Z",
"dateReserved": "2024-06-20T20:29:12.955Z",
"dateUpdated": "2024-08-01T21:33:05.163Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-5885 (GCVE-0-2024-5885)
Vulnerability from cvelistv5 – Published: 2024-06-27 18:45 – Updated: 2024-08-01 21:25
VLAI
Title
Server-Side Request Forgery (SSRF) in stangirard/quivr
Summary
stangirard/quivr version 0.0.236 contains a Server-Side Request Forgery (SSRF) vulnerability. The application does not provide sufficient controls when crawling a website, allowing an attacker to access applications on the local network. This vulnerability could allow a malicious user to gain access to internal servers, the AWS metadata endpoint, and capture Supabase data.
Severity
8.6 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| stangirard | stangirard/quivr |
Affected:
unspecified , ≤ latest
(custom)
|
|
| stangirard | quivr |
Affected:
0 , < *
(custom)
cpe:2.3:a:stangirard:quivr:*:*:*:*:*:*:*:* |
|
| stangirard | quivr |
Affected:
0.0.236
cpe:2.3:a:stangirard:quivr:0.0.236:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:stangirard:quivr:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "quivr",
"vendor": "stangirard",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:stangirard:quivr:0.0.236:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "quivr",
"vendor": "stangirard",
"versions": [
{
"status": "affected",
"version": "0.0.236"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5885",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T19:40:28.096464Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T19:48:11.929Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:25:03.160Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.com/bounties/c178bf48-1d4a-4743-87ca-4cc8e475d274"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "stangirard/quivr",
"vendor": "stangirard",
"versions": [
{
"lessThanOrEqual": "latest",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "stangirard/quivr version 0.0.236 contains a Server-Side Request Forgery (SSRF) vulnerability. The application does not provide sufficient controls when crawling a website, allowing an attacker to access applications on the local network. This vulnerability could allow a malicious user to gain access to internal servers, the AWS metadata endpoint, and capture Supabase data."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-27T18:45:19.519Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/c178bf48-1d4a-4743-87ca-4cc8e475d274"
}
],
"source": {
"advisory": "c178bf48-1d4a-4743-87ca-4cc8e475d274",
"discovery": "EXTERNAL"
},
"title": "Server-Side Request Forgery (SSRF) in stangirard/quivr"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-5885",
"datePublished": "2024-06-27T18:45:19.519Z",
"dateReserved": "2024-06-11T21:40:44.149Z",
"dateUpdated": "2024-08-01T21:25:03.160Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4851 (GCVE-0-2024-4851)
Vulnerability from cvelistv5 – Published: 2024-06-06 18:39 – Updated: 2024-08-09 19:48
VLAI
Title
SSRF Vulnerability in stangirard/quivr
Summary
A Server-Side Request Forgery (SSRF) vulnerability exists in the stangirard/quivr application, version 0.0.204, which allows attackers to access internal networks. The vulnerability is present in the crawl endpoint where the 'url' parameter can be manipulated to send HTTP requests to arbitrary URLs, thereby facilitating SSRF attacks. The affected code is located in the backend/routes/crawl_routes.py file, specifically within the crawl_endpoint function. This issue could allow attackers to interact with internal services that are accessible from the server hosting the application.
Severity
7.7 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| stangirard | stangirard/quivr |
Affected:
unspecified , ≤ latest
(custom)
|
|
| quivr | quivr |
Affected:
0.0.204
cpe:2.3:a:quivr:quivr:0.0.204:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:55:10.012Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.com/bounties/b6011986-954a-47da-a60c-fc7aebc8005d"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:quivr:quivr:0.0.204:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "quivr",
"vendor": "quivr",
"versions": [
{
"status": "affected",
"version": "0.0.204"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4851",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-09T19:45:09.575452Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-09T19:48:33.486Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "stangirard/quivr",
"vendor": "stangirard",
"versions": [
{
"lessThanOrEqual": "latest",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Server-Side Request Forgery (SSRF) vulnerability exists in the stangirard/quivr application, version 0.0.204, which allows attackers to access internal networks. The vulnerability is present in the crawl endpoint where the \u0027url\u0027 parameter can be manipulated to send HTTP requests to arbitrary URLs, thereby facilitating SSRF attacks. The affected code is located in the backend/routes/crawl_routes.py file, specifically within the crawl_endpoint function. This issue could allow attackers to interact with internal services that are accessible from the server hosting the application."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T18:39:58.505Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/b6011986-954a-47da-a60c-fc7aebc8005d"
}
],
"source": {
"advisory": "b6011986-954a-47da-a60c-fc7aebc8005d",
"discovery": "EXTERNAL"
},
"title": "SSRF Vulnerability in stangirard/quivr"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-4851",
"datePublished": "2024-06-06T18:39:58.505Z",
"dateReserved": "2024-05-13T21:25:46.851Z",
"dateUpdated": "2024-08-09T19:48:33.486Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}