CVE-2024-4499

HIGH Year: 2024
CVSS v3 Score
7.6
High
Weakness Type
CWE-352
View all →

Vulnerability Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in the XTTS server of parisneo/lollms version 9.6 due to a lax CORS policy. The vulnerability allows attackers to perform unauthorized actions by tricking a user into visiting a malicious webpage, which can then trigger arbitrary LoLLMS-XTTS API requests. This issue can lead to the reading and writing of audio files and, when combined with other vulnerabilities, could allow for the reading of arbitrary files on the system and writing files outside the permitted audio file location.

Related Vulnerabilities

CVE-2017-5165

HIGH
CVSS:7.6(High)

An issue was discovered in BINOM3 Universal Multifunctional Electric Power Quality Meter. There is no CSRF Token generated per page and/or per (sensitive) function. Successful exploitation of this vul...

CWE-3522017

CVE-2019-3718

HIGH
CVSS:7.6(High)

Dell SupportAssist Client versions prior to 3.2.0.90 contain an improper origin validation vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability to attempt CSR...

CWE-3522019

CVE-2020-15135

HIGH
CVSS:7.6(High)

save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploa...

CWE-3522020

CVE-2020-7304

HIGH
CVSS:7.6(High)

Cross site request forgery vulnerability in McAfee Data Loss Prevention (DLP) ePO extension prior to 11.5.3 allows authenticated remote attacker to embed a CRSF script via adding a new label.

CWE-3522020

CVE-2021-4164

HIGH
CVSS:7.6(High)

calibre-web is vulnerable to Cross-Site Request Forgery (CSRF)

CWE-3522021

CVE-2024-32693

HIGH
CVSS:7.6(High)

Cross-Site Request Forgery (CSRF) vulnerability in ValvePress Automatic.This issue affects Automatic: from n/a before 3.93.0.

CWE-3522024