Onyx
Monthly
SQL injection in Onyx Chat Interface allows authenticated remote attackers to manipulate database queries via the generate_simple_sql function in the KB search component. Versions up to 0.29.1 are affected. While the CVSS score is low (2.1) due to limited impact scope and authentication requirement, public exploit code exists and the vendor has not responded to early disclosure, increasing real-world risk for users who cannot rapidly patch.
In danswer-ai/danswer v0.3.94, administrators can set the visibility of pages within a workspace, including the search page. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An improper access control vulnerability exists in danswer-ai/danswer version v0.3.94. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
SQL injection in Onyx Chat Interface allows authenticated remote attackers to manipulate database queries via the generate_simple_sql function in the KB search component. Versions up to 0.29.1 are affected. While the CVSS score is low (2.1) due to limited impact scope and authentication requirement, public exploit code exists and the vendor has not responded to early disclosure, increasing real-world risk for users who cannot rapidly patch.
In danswer-ai/danswer v0.3.94, administrators can set the visibility of pages within a workspace, including the search page. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An improper access control vulnerability exists in danswer-ai/danswer version v0.3.94. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.