CVE-2024-4328 – This CSRF vulnerability in parisneo/lollms-webu... (How to Fix)

Q: What is the severity of CVE-2024-4328?

CVE-2024-4328 has a CVSS score of 8.1 (HIGH). This CSRF vulnerability in parisneo/lollms-webui allows attackers to trick authenticated users into unknowingly clearing personality files via malicious GET requests. It affects users running vulnerable versions of the web interface, potentially leading to unauthorized file deletion.

📋 TL;DR

This CSRF vulnerability in parisneo/lollms-webui allows attackers to trick authenticated users into unknowingly clearing personality files via malicious GET requests. It affects users running vulnerable versions of the web interface, potentially leading to unauthorized file deletion.

💻 Affected Systems

Products:

parisneo/lollms-webui

Versions: v9.6 and potentially earlier versions

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects web interface endpoints; requires user authentication but no CSRF tokens.

📦 What is this software?

Lollms Web Ui by Parisneo

View all CVEs affecting Lollms Web Ui →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could delete critical personality files, disrupting AI functionality and causing data loss for all users.

🟠

Likely Case

Targeted attacks clearing specific personality files, affecting individual user experiences.

🟢

If Mitigated

With proper CSRF protection, no unauthorized actions can be performed via forged requests.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

CSRF attacks are well-understood; exploitation requires user interaction but is technically simple.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check latest release after v9.6

Vendor Advisory: https://huntr.com/bounties/0f4faadf-ebca-4ef8-9d8a-66dbd849c0f8

Restart Required: Yes

Instructions:

1. Update to latest patched version. 2. Restart the lollms-webui service. 3. Verify CSRF protection is enabled.

🔧 Temporary Workarounds

Change GET to POST

all

Modify the clear_personality_files_list endpoint to require POST requests with CSRF tokens.

Modify app.py to change @app.route('/clear_personality_files_list', methods=['GET']) to methods=['POST'] and add CSRF protection

Add CSRF Middleware

all

Implement CSRF protection globally for all state-changing endpoints.

Add Flask-WTF or similar CSRF protection to the Flask application

🧯 If You Can't Patch

Restrict access to the web interface using network controls or authentication proxies.
Implement WAF rules to block suspicious requests to the vulnerable endpoint.

🔍 How to Verify

Check if Vulnerable:

Check if /clear_personality_files_list endpoint accepts GET requests without CSRF tokens.

Check Version:

Check lollms-webui version in web interface or package metadata.

Verify Fix Applied:

Verify endpoint now requires POST with valid CSRF token or returns 403 for GET requests.

📡 Detection & Monitoring

Log Indicators:

Multiple GET requests to /clear_personality_files_list from unusual sources
403 errors after implementing CSRF protection

Network Indicators:

Unusual GET requests to the vulnerable endpoint
Requests without referrer headers or CSRF tokens

SIEM Query:

source="web_logs" AND uri_path="/clear_personality_files_list" AND http_method="GET"

📊 Metadata

CVE ID: CVE-2024-4328

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

CWE: CWE-352

Published: June 10, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-4328, you might also want to check these: