A Cross-Site Request Forgery (CSRF) vulnerability exists in the XTTS server of parisneo/lollms version 9.6 due to a lax CORS policy. The vulnerability allows attackers to perform unauthorized actions by tricking a user into visiting a malicious webpage, which can then trigger arbitrary LoLLMS-XTTS API requests. This issue can lead to the reading and writing of audio files and, when combined with other vulnerabilities, could allow for the reading of arbitrary files on the system and writing files outside the permitted audio file location.
References
Link | Resource |
---|---|
https://huntr.com/bounties/336cd0eb-eb47-450d-9b2c-9332f69af65a | Exploit Third Party Advisory |
https://huntr.com/bounties/336cd0eb-eb47-450d-9b2c-9332f69af65a | Exploit Third Party Advisory |
Configurations
History
21 Nov 2024, 09:42
Type | Values Removed | Values Added |
---|---|---|
References | () https://huntr.com/bounties/336cd0eb-eb47-450d-9b2c-9332f69af65a - Exploit, Third Party Advisory |
13 Sep 2024, 16:01
Type | Values Removed | Values Added |
---|---|---|
First Time |
Lollms lollms
Lollms |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.3 |
References | () https://huntr.com/bounties/336cd0eb-eb47-450d-9b2c-9332f69af65a - Exploit, Third Party Advisory | |
CPE | cpe:2.3:a:lollms:lollms:9.6:*:*:*:*:*:*:* |
24 Jun 2024, 12:57
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
24 Jun 2024, 03:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-06-24 03:15
Updated : 2024-11-21 09:42
NVD link : CVE-2024-4499
Mitre link : CVE-2024-4499
CVE.ORG link : CVE-2024-4499
JSON object : View
Products Affected
lollms
- lollms
CWE
CWE-352
Cross-Site Request Forgery (CSRF)