CVE-2024-48057

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions localai versions <=2.20.1

Description The issue is related to a Cross Site Scripting (XSS) vulnerability. When the delete model API is called with inappropriate parameters, it can cause a one-time storage XSS. This will trigger the payload when a user accesses the homepage. The vulnerability occurs in the delete model API when bad parameters are used.

Recommendations For localai versions <=2.20.1, as a temporary workaround, consider restricting access to the delete model API until a patch is available. Avoid using inappropriate parameters in the delete model API to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

XSS

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79CWE-352

Related Identifiers

CVE-2024-48057

GHSA-GHX4-CGXW-7H9P

GO-2024-3253

OPENSUSE-SU-2024:14470-1

OPENSUSE-SU-2024_4042-1

SUSE-SU-2024:4042-1

Affected Products

Suse

Localai

CVE-2024-48057

Weakness Enumeration

Related Identifiers

Affected Products

References · 24