Cradicle Explorer
ai-agents-security_AI-Infra-Guard
/ data / vuln_en / comfyui / CVE-2024-6673.yaml
CVE-2024-6673.yaml
 1  info:
 2    name: comfyui
 3    cve: CVE-2024-6673
 4    summary: Cross-Site Request Forgery (CSRF) in `install_comfyui` endpoint of lollms-webui.
 5    details: |
 6      A Cross-Site Request Forgery (CSRF) vulnerability exists in the `install_comfyui` endpoint of the `lollms_comfyui.py` file in the parisneo/lollms-webui repository, versions v9.9 to the latest. The endpoint uses the GET method without requiring a client ID, allowing an attacker to trick a victim into installing ComfyUI. If the victim's device does not have sufficient capacity, this can result in a crash.
 7    cvss: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
 8    severity: MEDIUM
 9    security_advise: |
10      1. Upgrade lollms-webui to a version patched after commit `c1bb1ad19752aa7541675b398495eaf98fd589f1`.
11      2. Ensure that sensitive actions require proper CSRF tokens or use POST requests with appropriate validation.
12  references:
13    - https://nvd.nist.gov/vuln/detail/CVE-2024-6673
14    - https://github.com/parisneo/lollms-webui/commit/c1bb1ad19752aa7541675b398495eaf98fd589f1
15    - https://huntr.com/bounties/a38f9a7d-b357-427d-adac-f9654d8c0e3c
16  rule: version >= "9.9"