CVE-2024-8489

Name of the Vulnerable Software and Affected Versions modelscope/agentscope version 21161fe

Description A Cross-Site Request Forgery (CSRF) issue exists due to overly permissive CORS headers in the AgentScope Studio backend server. This allows an attacker to access all backend endpoints, including the api/file endpoint, enabling the reading of arbitrary files on the target's local file system through CSRF.

Recommendations For version 21161fe, consider restricting access to the api/file endpoint and reviewing CORS headers to prevent overly permissive settings. As a temporary workaround, restrict access to the backend server to minimize the risk of exploitation.