CVE-2024-4839 MEDIUM

CVE-2024-4839: CSRF in Servers Configurations in parisneo/lollms-webui

Vendor Parisneo
Product parisneo/lollms-webui
Weakness CWE-352 · CSRF
Published June 24, 2024
Last update August 1, 2024
View on NVD All CVEs

CVSS base score

4.4/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in the 'Servers Configurations' function of the parisneo/lollms-webui, versions 9.6 to the latest. The affected functions include Elastic search Service (under construction), XTTS service, Petals service, vLLM service, and Motion Ctrl service, which lack CSRF protection. This vulnerability allows attackers to deceive users into unwittingly installing the XTTS service among other packages by submitting a malicious installation request. Successful exploitation results in attackers tricking users into performing actions without their consent.

Key dates

02Disclosure timeline

June 24, 2024 CVE published
August 1, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-31305 WordPress Transcoder plugin <= 1.3.5 - Cross Site Request Forgery (CSRF) vulnerability CVE-2025-34429 1Panel CSRF Web Port Configuration Change CVE-2024-31374 WordPress AppPresser plugin <= 4.3.0 - Cross Site Request Forgery (CSRF) vulnerability CVE-2023-45647 WordPress Constant Contact Forms by MailMunch Plugin <= 2.0.10 is vulnerable to Cross Site Request Forgery (CSRF) CVE-2022-1846 Tiny Contact Form <= 0.7 - Arbitrary Settings Update via CSRF