CVE-2024-9900

Exploit

EPSS 0.12%
Veröffentlicht 20.03.2025 10:09:14
Zuletzt bearbeitet 04.04.2025 09:15:16
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

mudler/localai version v2.21.1 contains a Cross-Site Scripting (XSS) vulnerability in its search functionality. The vulnerability arises due to improper sanitization of user input, allowing the injection and execution of arbitrary JavaScript code. This can lead to the execution of malicious scripts in the context of the victim's browser, potentially compromising user sessions, stealing session cookies, redirecting users to malicious websites, or manipulating the DOM.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mudler ≫ Localai Version2.21.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.12%	0.312

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security@huntr.dev	5.4	2.8	2.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://huntr.com/bounties/b39cd230-db66-471b-89b9-24afaa078e68

Third Party Advisory

Exploit

https://github.com/mudler/localai/commit/a1634b219a4e52813e70ff07e6376a01449c4515

Patch

https://nvd.nist.gov/vuln/detail/CVE-2024-9900

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-9900

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-9900

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-9900