CVE-2024-10481

Exploit

EPSS 0.06%
Veröffentlicht 20.03.2025 10:09:02
Zuletzt bearbeitet 29.07.2025 18:22:05
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

A CSRF vulnerability exists in comfyanonymous/comfyui versions up to v0.2.2. This vulnerability allows attackers to host malicious websites that, when visited by authenticated ComfyUI users, can perform arbitrary API requests on behalf of the user. This can be exploited to perform actions such as uploading arbitrary files via the `/upload/image` endpoint. The lack of CSRF protections on API endpoints like `/upload/image`, `/prompt`, and `/history` leaves users vulnerable to unauthorized actions, which could be combined with other vulnerabilities such as stored-XSS to further compromise user sessions.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Comfy ≫ Comfyui Version <= 0.2.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.177

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@huntr.dev	6.5	2.8	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

https://huntr.com/bounties/f4d5bfb5-6ff1-4356-b81f-f8c01d2e6ded

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-10481

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-10481

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-10481

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-10481