AVID-2026-R1530

Description

CSRF in restart_program in parisneo/lollms-webui (CVE-2024-4403)

Details

A Cross-Site Request Forgery (CSRF) vulnerability exists in the restart_program function of the parisneo/lollms-webui v9.6. This vulnerability allows attackers to trick users into performing unintended actions, such as resetting the program without their knowledge, by sending specially crafted CSRF forms. This issue affects the installation process, including the installation of Binding zoo and Models zoo, by unexpectedly resetting programs. The vulnerability is due to the lack of CSRF protection in the affected function.

Reason for inclusion in AVID: CVE-2024-4403 describes a Cross-Site Request Forgery (CSRF) vulnerability in the restart_program function of parisneo/lollms-webui, including impacts on installation processes for model zoos. This involves an AI tooling component used to deploy/run AI systems (Lollms web UI for managing models and runtimes). The vulnerability is security-related (CSRF) and affects the software stack used to build/deploy AI workflows, i.e., a general-purpose AI supply chain component. The CVE provides sufficient evidence (description, impact, references) to support classification as an AI-supply-chain vulnerability.

References

• NVD entry
• https://huntr.com/bounties/c9dd6d2f-d83a-488b-9443-d4200c010851

Affected or Relevant Artifacts

• Developer: parisneo
• Deployer: parisneo
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-06-10
• Version: 0.3.3
• AVID Entry