CVE-2024-4328

Exploit

EPSS 0.05%
Veröffentlicht 10.06.2024 08:15:51
Zuletzt bearbeitet 21.11.2024 09:42:38
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

A Cross-Site Request Forgery (CSRF) vulnerability exists in the clear_personality_files_list function of the parisneo/lollms-webui v9.6. The vulnerability arises from the use of a GET request to clear personality files list, which lacks proper CSRF protection. This flaw allows attackers to trick users into performing actions without their consent, such as deleting important files on the system. The issue is present in the application's handling of requests, making it susceptible to CSRF attacks that could lead to unauthorized actions being performed on behalf of the user.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Parisneo ≫ Lollms Web Ui Version9.6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.162

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
security@huntr.dev	4	2.5	1.4	CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

https://huntr.com/bounties/0f4faadf-ebca-4ef8-9d8a-66dbd849c0f8

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-4328

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-4328

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-4328

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-4328