Cross-Site Request Forgery Vulnerability in parisneo/lollms-webui by parisneo
CVE-2024-4403

8.8HIGH

Key Information:

Vendor: parisneo
Status: lollms-webui
Vendor: CVE Published:; 10 June 2024

What is CVE-2024-4403?

A Cross-Site Request Forgery vulnerability exists in the restart_program function of the parisneo/lollms-webui v9.6, allowing attackers to manipulate user actions unknowingly. By exploiting this flaw, malicious actors can send crafted CSRF forms that can trigger unintended operations, including the resetting of programs. This vulnerability compromises the installation processes, such as Binding zoo and Models zoo, by enabling unexpected resets, stemming from inadequate CSRF protection in the affected function.

References

https://huntr.com/bounties/c9dd6d2f-d83a-488b-9443-d4200c...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 10, 2024