cbcvebase.

Modelscope Agentscope vulnerabilities

10 known vulnerabilities affecting modelscope/modelscope_agentscope.

Total CVEs
10
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH5MEDIUM1

Vulnerabilities

Page 1 of 1
CVE-2024-8502P2CRITICALCVSS 9.8≥ unspecified, ≤ latest2025-03-20
CVE-2024-8502 [CRITICAL] CWE-502 CVE-2024-8502: A vulnerability in the RpcAgentServerLauncher class of modelscope/agentscope v0.0.6a3 allows for rem A vulnerability in the RpcAgentServerLauncher class of modelscope/agentscope v0.0.6a3 allows for remote code execution (RCE) via deserialization of untrusted data using the dill library. The issue occurs in the AgentServerServicer.create_agent method, where serialized input is deserialized using dill.loads, enabling an attacker to execute arbitrary
nvd
CVE-2024-8537P3CRITICALCVSS 9.1≥ unspecified, ≤ latest2025-03-20
CVE-2024-8537 [CRITICAL] CWE-29 CVE-2024-8537: A path traversal vulnerability exists in the modelscope/agentscope application, affecting all versio A path traversal vulnerability exists in the modelscope/agentscope application, affecting all versions. The vulnerability is present in the /delete-workflow endpoint, allowing an attacker to delete arbitrary files from the filesystem. This issue arises due to improper input validation, enabling the attacker to manipulate file paths and delete sensiti
nvd
CVE-2024-8551P3CRITICALCVSS 9.1≥ unspecified, ≤ latest2025-03-20
CVE-2024-8551 [CRITICAL] CWE-23 CVE-2024-8551: A path traversal vulnerability exists in the save-workflow and load-workflow functionality of models A path traversal vulnerability exists in the save-workflow and load-workflow functionality of modelscope/agentscope versions prior to the fix. This vulnerability allows an attacker to read and write arbitrary JSON files on the filesystem, potentially leading to the exposure or modification of sensitive information such as configuration files, API key
nvd
CVE-2024-8501P3HIGHCVSS 8.8≥ unspecified, ≤ latest2025-03-20
CVE-2024-8501 [HIGH] CWE-36 CVE-2024-8501: An arbitrary file download vulnerability exists in the rpc_agent_client component of modelscope/agen An arbitrary file download vulnerability exists in the rpc_agent_client component of modelscope/agentscope version v0.0.4. This vulnerability allows any user to download any file from the rpc_agent's host by exploiting the download_file method. This can lead to unauthorized access to sensitive information, including configuration files, credentials, and
nvd
CVE-2024-8487P3CRITICALCVSS 9.8≥ unspecified, ≤ latest2025-03-20
CVE-2024-8487 [CRITICAL] CWE-346 CVE-2024-8487: A Cross-Origin Resource Sharing (CORS) vulnerability exists in modelscope/agentscope version v0.0.4. A Cross-Origin Resource Sharing (CORS) vulnerability exists in modelscope/agentscope version v0.0.4. The CORS configuration on the agentscope server does not properly restrict access to only trusted origins, allowing any external domain to make requests to the API. This can lead to unauthorized data access, information disclosure, and potential furt
nvd
CVE-2024-8438P3HIGHCVSS 7.5≥ unspecified, ≤ latest2025-03-20
CVE-2024-8438 [HIGH] CWE-22 CVE-2024-8438: A path traversal vulnerability exists in modelscope/agentscope version v.0.0.4. The API endpoint `/a A path traversal vulnerability exists in modelscope/agentscope version v.0.0.4. The API endpoint `/api/file` does not properly sanitize the `path` parameter, allowing an attacker to read arbitrary files on the server.
nvd
CVE-2024-8489P3HIGHCVSS 8.8≥ unspecified, ≤ latest2025-03-20
CVE-2024-8489 [HIGH] CWE-352 CVE-2024-8489: A vulnerability in modelscope/agentscope, specifically in the AgentScope Studio backend server, allo A vulnerability in modelscope/agentscope, specifically in the AgentScope Studio backend server, allows for Cross-Site Request Forgery (CSRF) due to overly permissive CORS headers. This issue affects the latest commit on the main branch (21161fe). The vulnerability permits an attacker to access all backend endpoints, including the `api/file` endpoint, en
nvd
CVE-2024-8550P3HIGHCVSS 7.5≥ unspecified, ≤ latest2025-02-10
CVE-2024-8550 [HIGH] CWE-497 CVE-2024-8550: A Local File Inclusion (LFI) vulnerability exists in the /load-workflow endpoint of modelscope/agent A Local File Inclusion (LFI) vulnerability exists in the /load-workflow endpoint of modelscope/agentscope version v0.0.4. This vulnerability allows an attacker to read arbitrary files from the server, including sensitive files such as API keys, by manipulating the filename parameter. The issue arises due to improper sanitization of user input passed to
nvd
CVE-2024-8524P3HIGHCVSS 7.5≥ unspecified, ≤ latest2025-03-20
CVE-2024-8524 [HIGH] CWE-22 CVE-2024-8524: A directory traversal vulnerability exists in modelscope/agentscope version 0.0.4. An attacker can e A directory traversal vulnerability exists in modelscope/agentscope version 0.0.4. An attacker can exploit this vulnerability to read any local JSON file by sending a crafted POST request to the /read-examples endpoint.
nvd
CVE-2024-8556P4MEDIUMCVSS 6.1≥ unspecified, ≤ latest2025-03-20
CVE-2024-8556 [MEDIUM] CWE-79 CVE-2024-8556: A stored cross-site scripting (XSS) vulnerability exists in modelscope/agentscope, as of the latest A stored cross-site scripting (XSS) vulnerability exists in modelscope/agentscope, as of the latest commit 21161fe on the main branch. The vulnerability occurs in the view for inspecting detailed run information, where a user-controllable string (run ID) is appended and rendered as HTML. This allows an attacker to execute arbitrary JavaScript code in th
nvd
Modelscope Agentscope vulnerabilities | cvebase