Cross-Site Request Forgery Vulnerability in parisneo/lollms-webui by parisneo
CVE-2024-4403

8.8HIGH

Key Information:

Vendor

parisneo

Status
lollms-webui
Vendor
CVE Published:
10 June 2024

What is CVE-2024-4403?

A Cross-Site Request Forgery vulnerability exists in the restart_program function of the parisneo/lollms-webui v9.6, allowing attackers to manipulate user actions unknowingly. By exploiting this flaw, malicious actors can send crafted CSRF forms that can trigger unintended operations, including the resetting of programs. This vulnerability compromises the installation processes, such as Binding zoo and Models zoo, by enabling unexpected resets, stemming from inadequate CSRF protection in the affected function.

References

https://huntr.com/bounties/c9dd6d2f-d83a-488b-9443-d4200c...

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

JSON
.
CVE-2024-4403 : Cross-Site Request Forgery Vulnerability in parisneo/lollms-webui by parisneo