Cherry Studio v3.1.2 Security Update: Fixes CORS Abuse, IDOR, Mass Assignment & Credential Leak

Vulnerability Overview Hardcoded CORS wildcard on TTS endpoint: The hardcoded CORS wildcard on the TTS endpoint allows any webpage to abuse cross-origin credentials. Scope Any webpage can exploit this vulnerability to abuse cross-origin credentials. Remediation The vulnerability has been fixed in version 3.1.2. Related Vulnerabilities Fix Credential Data Leak by @christopherholland-workday in #5042: Fixed the credential data leak issue. Fix Chatflow Query to Protect Against Cross-Workspace Chatflow Disclosure by @christopherholland-workday in #6043: Fixed the chatflow query to protect against cross-workspace chatflow disclosure. Fix IDOR Takeover in PUT /api/v1/User by @christopherholland-workday in #5986: Fixed the IDOR takeover issue in PUT /api/v1/User. Fix Mass Assignment in Tools Endpoint by @christopherholland-workday in #5054: Fixed the mass assignment issue in the Tools endpoint. Fix Mass Assignment in Variables Endpoints by @christopherholland-workday in #5955: Fixed the mass assignment issue in the Variables endpoints. Fix Mass Assignment in Assistant Update Endpoint by @christopherholland-workday in #5945: Fixed the mass assignment issue in the Assistant Update endpoint. Fix Mass Assignment in Chatflow Endpoints by @christopherholland-workday in #5953: Fixed the mass assignment issue in the Chatflow endpoints. Fix IDOR in Evaluators and Evaluations Endpoints by @christopherholland-workday in #6050: Fixed the IDOR issue in the Evaluators and Evaluations endpoints. Fix Mass Assignment in Dataset and DatasetRow Operations by @christopherholland-workday in #6051: Fixed the mass assignment issue in Dataset and DatasetRow operations. Fix Mass Assignment in Assistant Endpoints by @christopherholland-workday in #5945: Fixed the mass assignment issue in the Assistant endpoints. Fix Mass Assignment on Save Custom Template by @christopherholland-workday in #5129: Fixed the mass assignment issue when saving custom templates. Remediation The above vulnerabilities have been fixed in version 3.1.2. Summary Version 3.1.2 addressed multiple security vulnerabilities, including CORS wildcard abuse, credential data leaks, chatflow query protections, IDOR takeover, and mass assignment issues. These fixes significantly enhance the system's security posture.

Goal Reached Thanks to every supporter — we hit 100%!

Cherry Studio v3.1.2 Security Update: Fixes CORS Abuse, IDOR, Mass Assignment & Credential Leak

More from this source