CSRF Vulnerability in clear_personality_files_list Function
CVE-2024-4328

8.1HIGH

Key Information:

Vendor: Parisneo
Status: Parisneo/lollms-webui
Vendor: CVE Published:; 10 June 2024

Summary

A vulnerability exists in the clear_personality_files_list function of the Lollms Web UI, specifically in version 9.6, that allows for Cross-Site Request Forgery (CSRF) attacks. This vulnerability is due to the usage of a GET request which fails to implement adequate CSRF protection mechanisms. As a result, attackers can exploit this flaw to trick users into executing unwanted actions, potentially leading to the deletion of critical personality files without proper authorization.

Affected Version(s)

parisneo/lollms-webui <= unspecified

References

https://huntr.com/bounties/0f4faadf-ebca-4ef8-9d8a-66dbd8...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jun 10, 2024
Vulnerability Reserved
Apr 29, 2024