CVE-2024-10819 identifies a Cross-Site Request Forgery (CSRF) vulnerability in version 3.83 of the binary-husky/gpt_academic software. CSRF vulnerabilities allow attackers to induce authenticated users to perform unwanted actions on web applications without their knowledge. In this case, the attacker can trick a user into uploading files without their consent by exploiting the user's active session. The malicious files uploaded can contain scripts that lead to stored Cross-Site Scripting (XSS) attacks. Stored XSS enables attackers to execute arbitrary scripts in the context of the victim's browser, potentially stealing sensitive information such as session tokens, personal data, or performing actions on behalf of the user. The vulnerability does not require the attacker to have privileges or prior authentication but does require user interaction (e.g., visiting a malicious webpage). The CVSS 3.0 score of 7.1 reflects a network attack vector with low complexity, no privileges required, user interaction needed, and high confidentiality impact but limited integrity and no availability impact. No patches or known exploits are currently reported, but the risk remains significant due to the potential for system compromise and data leakage. The vulnerability is categorized under CWE-352, which is a common web security weakness related to CSRF attacks.

For European organizations, this vulnerability poses a significant risk to confidentiality and integrity of data. Unauthorized file uploads can lead to persistent XSS attacks, enabling attackers to steal sensitive user information, including credentials and session tokens, potentially leading to account takeover or further system compromise. Organizations relying on binary-husky/gpt_academic for academic or research purposes may face data breaches, reputational damage, and regulatory penalties under GDPR if personal data is exposed. The attack requires user interaction but no elevated privileges, increasing the likelihood of exploitation in environments where users access the vulnerable application frequently. The lack of availability impact means systems remain operational, but the stealthy nature of the attack can allow prolonged unauthorized access. European entities with web-facing deployments of this software are particularly vulnerable to targeted phishing or social engineering campaigns that exploit this flaw.

To mitigate this vulnerability, organizations should implement anti-CSRF tokens in all state-changing requests to ensure that actions are performed intentionally by authenticated users. Strict validation and sanitization of uploaded files must be enforced to prevent malicious scripts from being stored and executed. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts and reduce the impact of stored XSS. Regularly update the binary-husky/gpt_academic software to the latest version once patches become available. Conduct security awareness training to educate users about the risks of interacting with untrusted links or websites. Network-level protections such as Web Application Firewalls (WAF) can be configured to detect and block suspicious file upload attempts and CSRF attack patterns. Additionally, monitor application logs for unusual upload activity and implement multi-factor authentication to reduce the risk of session hijacking.