CSRF Vulnerability in Parisneo LOLLMs version 9.6 Allows Unauthorized Actions
CVE-2024-4499
6.3MEDIUM
Key Information
- Vendor
- Parisneo
- Status
- Parisneo/lollms
- Vendor
- CVE Published:
- 24 June 2024
Summary
A Cross-Site Request Forgery (CSRF) vulnerability exists in the XTTS server of parisneo/lollms version 9.6 due to a lax CORS policy. The vulnerability allows attackers to perform unauthorized actions by tricking a user into visiting a malicious webpage, which can then trigger arbitrary LoLLMS-XTTS API requests. This issue can lead to the reading and writing of audio files and, when combined with other vulnerabilities, could allow for the reading of arbitrary files on the system and writing files outside the permitted audio file location.
Affected Version(s)
parisneo/lollms <= unspecified
CVSS V3.1
Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged
Timeline
Risk change from: null to: 7.6 - (HIGH)
Vulnerability published.
Vulnerability Reserved.
Collectors
NVD DatabaseMitre Database