CVE-2024-4403

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui version 9.6

Description A Cross-Site Request Forgery (CSRF) issue exists in the restart program function, allowing attackers to trick users into performing unintended actions, such as resetting the program without their knowledge, by sending specially crafted CSRF forms. This affects the installation process, including the installation of Binding zoo and Models zoo, by unexpectedly resetting programs. The issue is due to the lack of CSRF protection in the affected function.

Recommendations For parisneo/lollms-webui version 9.6, consider disabling the restart program function until a patch is available to prevent unintended actions. Restrict access to the installation process, including Binding zoo and Models zoo installations, to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.