CVE-2024-4328 — Cross-Site Request Forgery in Lollms-webui

CWE-352 — Cross-Site Request Forgery2 documents2 sources

Severity

8.1HIGHNVD

EPSS

0.1%

top 83.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Parisneo Lollms-webui Parisneo Lollms WEB UI

Timeline

PublishedJun 10

Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in the clear_personality_files_list function of the parisneo/lollms-webui v9.6. The vulnerability arises from the use of a GET request to clear personality files list, which lacks proper CSRF protection. This flaw allows attackers to trick users into performing actions without their consent, such as deleting important files on the system. The issue is present in the application's handling of requests, making it susceptible to CSRF attacks …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

▶CVEListV5parisneo/parisneo_lollms-webuiunspecified — latest

▶NVDparisneo/lollms_web_ui9.6

🔴Vulnerability Details

GHSA

GHSA-mf32-4qcq-96wh: A Cross-Site Request Forgery (CSRF) vulnerability exists in the clear_personality_files_list function of the parisneo/lollms-webui v9↗2024-06-10

▶