CVE-2024-4499
published 2024-06-24CVE-2024-4499: A Cross-Site Request Forgery (CSRF) vulnerability exists in the XTTS server of parisneo/lollms version 9.6 due to a lax CORS policy. The vulnerability allows…
PriorityP432medium6.3CVSS 3.1
AVNACLPRNUIRSUCLILAL
EPSS
0.18%
7.2th percentile
A Cross-Site Request Forgery (CSRF) vulnerability exists in the XTTS server of parisneo/lollms version 9.6 due to a lax CORS policy. The vulnerability allows attackers to perform unauthorized actions by tricking a user into visiting a malicious webpage, which can then trigger arbitrary LoLLMS-XTTS API requests. This issue can lead to the reading and writing of audio files and, when combined with other vulnerabilities, could allow for the reading of arbitrary files on the system and writing files outside the permitted audio file location.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lollms | lollms | — | — |
| parisneo | parisneo_lollms | unspecified – latest | — |
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
nvdv3.07.6HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-06-24
Published