CVE-2024-6673

MEDIUM Year: 2024
CVSS v3 Score
4.4
Medium
Weakness Type
CWE-352
View all →

Vulnerability Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in the `install_comfyui` endpoint of the `lollms_comfyui.py` file in the parisneo/lollms-webui repository, versions v9.9 to the latest. The endpoint uses the GET method without requiring a client ID, allowing an attacker to trick a victim into installing ComfyUI. If the victim's device does not have sufficient capacity, this can result in a crash.

Related Vulnerabilities

CVE-2024-39326

MEDIUM
CVSS:4.4(Medium)

SkillTree is a micro-learning gamification platform. Prior to version 2.12.6, the endpoint `/admin/projects/{projectname}/skills/{skillname}/video` (and probably others) is open to a cross-site reques...

CWE-3522024

CVE-2024-4403

MEDIUM
CVSS:4.4(Medium)

A Cross-Site Request Forgery (CSRF) vulnerability exists in the restart_program function of the parisneo/lollms-webui v9.6. This vulnerability allows attackers to trick users into performing unintende...

CWE-3522024

CVE-2024-4839

MEDIUM
CVSS:4.4(Medium)

A Cross-Site Request Forgery (CSRF) vulnerability exists in the 'Servers Configurations' function of the parisneo/lollms-webui, versions 9.6 to the latest. The affected functions include Elastic searc...

CWE-3522024

CVE-2017-8382

MEDIUM
CVSS:4.5(Medium)

admidio 3.2.8 has CSRF in adm_program/modules/members/members_function.php with an impact of deleting arbitrary user accounts.

CWE-3522017

CVE-2020-20586

MEDIUM
CVSS:4.5(Medium)

A cross site request forgery (CSRF) vulnerability in the /xyhai.php?s=/Auth/editUser URI of XYHCMS V3.6 allows attackers to edit any information of the administrator such as the name, e-mail, and pass...

CWE-3522020

CVE-2020-36191

MEDIUM
CVSS:4.5(Medium)

JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lacks an _xsrf field, as demonstrated by a /hub/api/user request (to add or remove a user account).

CWE-3522020