CVE-2024-8024— CORS Misconfiguration in netease-youdao/qanything
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-8024
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
CORS Misconfiguration in netease-youdao/qanything
Source: NVD (National Vulnerability Database)
Vulnerability Description
A CORS misconfiguration vulnerability exists in netease-youdao/qanything version 1.4.1. This vulnerability allows an attacker to bypass the Same-Origin Policy, potentially leading to sensitive information exposure. Properly implementing a restrictive CORS policy is crucial to prevent such security issues.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
源验证错误
Source: NVD (National Vulnerability Database)
Vulnerability Title
NetEase QAnything 访问控制错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
NetEase QAnything是中国网易(NetEase)公司的致力于支持任意格式文件或数据库的本地知识库问答系统,可断网安装使用。 NetEase QAnything 1.4.1版本存在访问控制错误漏洞,该漏洞源于CORS配置不当,可能导致敏感信息泄露。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| netease-youdao | netease-youdao/qanything | unspecified ~ latest | - |
II. Public POCs for CVE-2024-8024
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-8024
请登录查看更多情报信息。
Same Patch Batch · netease-youdao · 2025-03-20 · 6 CVEs total
| CVE-2024-12866 | Local File Inclusion in netease-youdao/qanything | |
| CVE-2024-12864 | Unauthenticated DoS by Sending Large Filename at File Upload Endpoint in netease-youdao/qa | |
| CVE-2024-8027 | Stored Cross-Site Scripting (XSS) in netease-youdao/QAnything | |
| CVE-2024-8026 | CSRF due to overly permissive CORS headers in netease-youdao/qanything | |
| CVE-2024-10264 | HTTP Request Smuggling in netease-youdao/qanything |
IV. Related Vulnerabilities
Same product: netease-youdao/qanything
- CVE-2024-12866
Local File Inclusion in netease-youdao/qanything - CVE-2024-8026
CSRF due to overly permissive CORS headers in netease-youdao - CVE-2024-12864
Unauthenticated DoS by Sending Large Filename at File Upload - CVE-2024-8027
Stored Cross-Site Scripting (XSS) in netease-youdao/QAnythin - CVE-2024-10264
HTTP Request Smuggling in netease-youdao/qanything
Same vendor: netease-youdao
- CVE-2024-12866
Local File Inclusion in netease-youdao/qanything - CVE-2024-8026
CSRF due to overly permissive CORS headers in netease-youdao - CVE-2024-12864
Unauthenticated DoS by Sending Large Filename at File Upload - CVE-2024-8027
Stored Cross-Site Scripting (XSS) in netease-youdao/QAnythin - CVE-2024-10264
HTTP Request Smuggling in netease-youdao/qanything
Same weakness: CWE-346
- CVE-2026-6508
RCE in TUBITAK BILGEM's Liderahenk - CVE-2026-43870
Apache Thrift: Node.js web_server.js multi-vulnerability - CVE-2026-7439
AgentFlow Local Web API Content-Type Validation Bypass - CVE-2026-41398
OpenClaw - Unauthorized Agent Request Dispatch via Untrusted - CVE-2026-41393
OpenClaw < 2026.3.31 - Arbitrary DNS Authority Acceptance an
V. Comments for CVE-2024-8024
No comments yet