CVE-2024-4403

Published: Jun 10, 2024

Modified: Aug 1, 2024

PUBLISHED

CVSS v3.0

4.4

MEDIUM

Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in the restart_program function of the parisneo/lollms-webui v9.6. This vulnerability allows attackers to trick users into performing unintended actions, such as resetting the program without their knowledge, by sending specially crafted CSRF forms. This issue affects the installation process, including the installation of Binding zoo and Models zoo, by unexpectedly resetting programs. The vulnerability is due to the lack of CSRF protection in the affected function.

Vendor	Product	Versions
parisneo	parisneo/lollms-webui	affected `unspecified - <= latest`

Weaknesses (CWE)

CWE-352

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

Low

References

https://huntr.com/bounties/c9dd6d2f-d83a-488b-9443-d4200c010851

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-4403

Description

Affected Products

Weaknesses (CWE)

CVSS v3.0 Details

References