1  info:
 2    name: vllm
 3    cve: CVE-2024-4839
 4    summary: Cross-Site Request Forgery (CSRF) vulnerability in parisneo/lollms-webui affecting vLLM service.
 5    details: |
 6      A Cross-Site Request Forgery (CSRF) vulnerability exists in the 'Servers Configurations' function of the parisneo/lollms-webui, versions 9.6 to the latest. The affected functions include Elastic search Service (under construction), XTTS service, Petals service, vLLM service, and Motion Ctrl service, which lack CSRF protection. This vulnerability allows attackers to deceive users into unwittingly installing the XTTS service among other packages by submitting a malicious installation request. Successful exploitation results in attackers tricking users into performing actions without their consent.
 7    cvss: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
 8    severity: MEDIUM
 9    security_advise: |
10      1. Implement robust CSRF protection mechanisms, such as anti-CSRF tokens, for all sensitive actions within the 'Servers Configurations' function.
11      2. Validate the origin of requests to ensure they are legitimate and not initiated by malicious third-party sites.
12      3. Educate users about the risks of clicking on suspicious links or visiting untrusted websites.
13  rule: version >= "9.6"
14  references:
15    - https://nvd.nist.gov/vuln/detail/CVE-2024-4839
16    - https://huntr.com/bounties/dcfc5a07-0427-42b5-a623-8d943873d7ff