CVE-2024-4839

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui versions 9.6 through the latest

Description A Cross-Site Request Forgery (CSRF) vulnerability exists in the 'Servers Configurations' function, affecting services such as Elastic search Service, XTTS service, Petals service, vLLM service, and Motion Ctrl service, which lack CSRF protection. This issue allows attackers to deceive users into unwittingly installing services by submitting malicious installation requests, resulting in users performing actions without their consent.

Recommendations For versions 9.6 through the latest, consider disabling the affected services, including Elastic search Service, XTTS service, Petals service, vLLM service, and Motion Ctrl service, until a patch is available to add CSRF protection. Restrict access to the 'Servers Configurations' function to minimize the risk of exploitation. Avoid using the function to install new services until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.