CVE-2024-4499 HIGH

CVE-2024-4499: CSRF Vulnerability in parisneo/lollms XTTS Server

Vendor Parisneo
Product parisneo/lollms
Weakness CWE-352 · CSRF
Published June 24, 2024
Last update August 1, 2024
View on NVD All CVEs

CVSS base score

7.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

What the vulnerability does

01Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in the XTTS server of parisneo/lollms version 9.6 due to a lax CORS policy. The vulnerability allows attackers to perform unauthorized actions by tricking a user into visiting a malicious webpage, which can then trigger arbitrary LoLLMS-XTTS API requests. This issue can lead to the reading and writing of audio files and, when combined with other vulnerabilities, could allow for the reading of arbitrary files on the system and writing files outside the permitted audio file location.

Key dates

02Disclosure timeline

June 24, 2024 CVE published
August 1, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-1913 Add Post URL <= 2.1.0 - Arbitrary Settings Update to Stored XSS via CSRF CVE-2025-39351 WordPress Grand Restaurant WordPress theme <= 7.0 - Cross Site Request Forgery (CSRF) vulnerability CVE-2024-53777 WordPress Simple Header and Footer plugin <= 1.0.0 - CSRF to Stored Cross Site Scripting (XSS) vulnerability CVE-2023-32745 WordPress AutomateWoo Plugin <= 5.7.1 is vulnerable to Cross Site Request Forgery (CSRF) CVE-2023-48755 WordPress teachPress Plugin <= 9.0.4 is vulnerable to Cross Site Request Forgery (CSRF)