How severe is CVE-2024-3135?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.5 out of 10.

What type of vulnerability is CVE-2024-3135?

This is classified as CWE-352, which is a common weakness in software security.

CVE-2024-3135 - MEDIUM Severity | CVSS 6.5

Vulnerability Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in the mudler/localai application, allowing attackers to craft malicious webpages that, when visited by a victim, perform unauthorized actions on the victim's local LocalAI instance without their consent. This vulnerability enables attackers to exhaust system resources, consume credits, and fill disk space by making numerous resource-intensive API calls, such as generating images or uploading files. The vulnerability stems from the application's acceptance of simple request content-types without requiring CSRF tokens or implementing other CSRF mitigation measures. Successful exploitation does not require network access to the vulnerable LocalAI environment.

Related Vulnerabilities

CVE-2004-1995

MEDIUM

CVSS:6.5(Medium)

Cross-Site Request Forgery (CSRF) vulnerability in FuseTalk 2.0 allows remote attackers to create arbitrary accounts via a link to adduser.cfm.

CWE-3522004

CVE-2005-1674

MEDIUM

CVSS:6.5(Medium)

Cross-Site Request Forgery (CSRF) vulnerability in Help Center Live allows remote attackers to perform actions as the administrator via a link or IMG tag to view.php.

CWE-3522005

CVE-2005-2059

MEDIUM

CVSS:6.5(Medium)

Multiple cross-site request forgery (CSRF) vulnerabilities in (1) addaddress.php, (2) toggleignore.php, (3) removeignore.php, and (4) removeaddress.php in Infopop UBB.Threads before 6.5.2 Beta allow r...

CWE-3522005

CVE-2009-3022

MEDIUM

CVSS:6.5(Medium)

Cross-site request forgery (CSRF) vulnerability in bingo!CMS 1.2 and earlier allows remote attackers to hijack the authentication of other users for requests that modify configuration or change conten...

CWE-3522009

CVE-2011-3609

MEDIUM

CVSS:6.5(Medium)

A CSRF issue was found in JBoss Application Server 7 before 7.1.0. JBoss did not properly restrict access to the management console information (for example via the "Access-Control-Allow-Origin" HTTP ...

CWE-3522011

CVE-2011-5250

MEDIUM

CVSS:6.5(Medium)

Snare for Linux before 1.7.0 has CSRF in the web interface.

CWE-3522011