Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Vulnerability of incorrect authorization in HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter 'visitor' in '/api/v1/webchat/message'.
AnalysisAI
HiJiffy Chatbot contains an authorization bypass vulnerability in the /api/v1/webchat/message endpoint that allows unauthenticated attackers to download private messages from arbitrary users by manipulating the 'visitor' parameter. The vulnerability affects all versions of HiJiffy Chatbot (as indicated by the wildcard CPE) and has been reported by INCIBE. No public exploit code or active exploitation has been confirmed at the time of analysis.
Technical ContextAI
The vulnerability is rooted in CWE-863 (Incorrect Authorization), a classification indicating that the application fails to properly validate whether a user is authorized to access requested resources. Specifically, the /api/v1/webchat/message API endpoint in HiJiffy Chatbot does not adequately verify that the requesting user has legitimate access to view messages associated with a given 'visitor' identifier. The affected product is HiJiffy Chatbot (CPE: cpe:2.3:a:hijiffy:hijiffy_chatbot:*:*:*:*:*:*:*:*), and the vulnerability likely stems from a failure to implement proper access control checks before returning sensitive conversation data. Instead of validating resource ownership or user permissions, the application trusts the 'visitor' parameter input directly, enabling horizontal privilege escalation where one user can retrieve another user's private messages.
RemediationAI
Contact HiJiffy support immediately to obtain patched versions and security guidance, referencing INCIBE's advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-hijiffy-chatbot. No vendor-released patch has been identified at the time of analysis; however, do not delay in engaging the vendor for patch availability and timelines. As an interim control, restrict network access to the /api/v1/webchat/message endpoint to trusted internal networks or verified client IP ranges using a Web Application Firewall (WAF) or reverse proxy, and implement strict request validation to block requests where the 'visitor' parameter does not match the authenticated user's identifier. Implement comprehensive API access logging to detect suspicious visitor parameter manipulation patterns. Until a vendor patch is available and deployed, consider disabling the affected endpoint if business operations permit, or require additional authentication factors (such as CAPTCHA or out-of-band verification) for message retrieval requests.
More in Hijiffy Chatbot
View allSame weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16150