Multiple vulnerabilities in the HiJiffy chatbot
HiJiffy Chatbot.
INCIBE has coordinated the publication of 2 medium severity vulnerabilities, affecting the Chatbot of HiJiffy, a communications center for guests. The vulnerabilities were discovered by David Utón Amaya (m3n0sd0n4ld).
These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:
- From CVE-2026-4262 to CVE-2026-4263: 6.9 | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-863
The vulnerabilities have been resolved by the HiJiffy team. Since the affected product is a cloud-based solution, the fix has already been deployed across all online versions, so no further action is required on the part of users.
An incorrect authorization vulnerability has been found in HiJiffy Chatbot. The list of assigned parameters and identifiers is as follows:
- CVE-2026-4262: this vulnerability allows an attacker to download private messages from other users via the parameter 'ID' in '/api/v1/download/<ID>/'.
- CVE-2026-4263: this vulnerability allows an attacker to access private messages from other users via the parameter 'visitor' in '/api/v1/webchat/message'.
These findings did not result in any data leakage.
| Identificador CVE | Severidad | Explotación | Fabricante |
|---|---|---|---|
