CVE-2024-10099

Name of the Vulnerable Software and Affected Versions comfyanonymous/comfyui version 0.2.2 and possibly earlier

Description A stored cross-site scripting (XSS) issue exists, allowing an attacker to upload an HTML file with a malicious XSS payload via the "/api/upload/image" endpoint. The payload is executed when the file is viewed through the "/view" API endpoint, potentially leading to the execution of arbitrary JavaScript code.

Recommendations For comfyanonymous/comfyui version 0.2.2 and possibly earlier, consider disabling the "/api/upload/image" endpoint and restricting access to the "/view" API endpoint until a patch is available. Avoid viewing files uploaded through the "/api/upload/image" endpoint to minimize the risk of exploitation.