Medium

lollms-webui

CSRF Vulnerability in ComfyUI Installation Endpoint

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the ComfyUI installation endpoint of the lollms-webui software, affecting version v9.9. This vulnerability allows an attacker to trick a victim into installing ComfyUI, potentially causing a crash if the victim's device lacks sufficient capacity. The issue was patched in version 9.9.

Available publicly on Oct 12 2024

4.4

CVE:

CVE-2024-6673

CWE:

352:Cross-Site Request Forgery (CSRF)

CVSS:

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L

Credit:

hainguyen0207
AssessDetect

Unavailable

Remediate
Remediation Steps
  • Update to the latest version of lollms-webui (version 9.9 or later).
  • Implement CSRF protection mechanisms, such as requiring a unique token for each request.
  • Ensure that sensitive actions, like installing software, require proper authentication and authorization.
  • Review and update the API endpoints to use POST methods for actions that modify server state.
Patch Details
  • Fixed Version: 9.9
  • Patch Commit: https://github.com/ParisNeo/lollms-webui/commit/c1bb1ad19752aa7541675b398495eaf98fd589f1
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.