CVE-2024-4403 MEDIUM

CVE-2024-4403: CSRF in restart_program in parisneo/lollms-webui

Vendor Parisneo
Product parisneo/lollms-webui
Weakness CWE-352 · CSRF
Published June 10, 2024
Last update August 1, 2024
View on NVD All CVEs

CVSS base score

4.4/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in the restart_program function of the parisneo/lollms-webui v9.6. This vulnerability allows attackers to trick users into performing unintended actions, such as resetting the program without their knowledge, by sending specially crafted CSRF forms. This issue affects the installation process, including the installation of Binding zoo and Models zoo, by unexpectedly resetting programs. The vulnerability is due to the lack of CSRF protection in the affected function.

Key dates

02Disclosure timeline

June 10, 2024 CVE published
August 1, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-32597 WordPress WordPress Events Calendar Plugin – connectDaily plugin <= 1.5.4 - CSRF to Cross-Site Scripting vulnerability CVE-2025-46506 WordPress WpZon – Amazon Affiliate Plugin plugin <= 1.3 - CSRF to XSS vulnerability CVE-2024-13250 Drupal Symfony Mailer Lite - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-014 CVE-2025-49382 WordPress JobZilla - Job Board WordPress Theme Theme <= 2.0 - Cross Site Request Forgery (CSRF) Vulnerability CVE-2024-22290 WordPress Custom Dashboard Widgets Plugin <= 1.3.1 is vulnerable to Cross Site Request Forgery (CSRF)