CVE-2024-9311

Name of the Vulnerable Software and Affected Versions haotian-liu/llava version 1.2.0

Description A Cross-Site Request Forgery (CSRF) issue allows an attacker to upload files with malicious content without authentication or user interaction. The uploaded file is stored in a predictable path, enabling the attacker to execute arbitrary JavaScript code in the context of the victim's browser by visiting the crafted file URL. This can lead to theft of sensitive information, session hijacking, or other actions compromising the security and privacy of the victim.

Recommendations For haotian-liu/llava version 1.2.0, consider disabling file upload functionality until a patch is available to prevent exploitation of this issue. Restrict access to predictable paths where uploaded files are stored to minimize the risk of arbitrary JavaScript code execution. Avoid using the application until a fixed version is released. At the moment, there is no information about a newer version that contains a fix for this vulnerability.