CVE-2024-6673

Name of the Vulnerable Software and Affected Versions lollms-webui versions v9.9 through the latest

Description A Cross-Site Request Forgery (CSRF) issue exists in the "install comfyui" endpoint of the lollms comfyui.py file. This endpoint uses the GET method without requiring a client ID, allowing an attacker to trick a victim into installing ComfyUI. If the victim's device does not have sufficient capacity, this can result in a crash.

Recommendations For versions v9.9 through the latest, consider disabling the install comfyui endpoint until a patch is available to prevent potential CSRF attacks. Restrict access to the lollms comfyui.py file to minimize the risk of exploitation. Avoid using the GET method for the "install comfyui" endpoint without proper validation and authentication mechanisms in place.