CVE-2024-4499

Name of the Vulnerable Software and Affected Versions lollms version 9.6

Description A Cross-Site Request Forgery (CSRF) vulnerability exists in the XTTS server due to a lax CORS policy, allowing attackers to perform unauthorized actions by tricking a user into visiting a malicious webpage. This can trigger arbitrary LoLLMS-XTTS API requests, leading to the reading and writing of audio files. When combined with other vulnerabilities, it could allow for the reading of arbitrary files on the system and writing files outside the permitted audio file location.

Recommendations For version 9.6, consider implementing a stricter CORS policy to prevent unauthorized API requests as a temporary workaround. Restrict access to the XTTS server to minimize the risk of exploitation. Avoid using the LoLLMS-XTTS API for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.