CVE-2024-9311

Medium CVSS: 6.1

A Cross-Site Request Forgery (CSRF) vulnerability in haotian-liu/llava v1.2.0 (LLaVA-1.6) allows an attacker to upload files with malicious content without authentication or user interaction. The uploaded file is stored in a predictable path, enabling the attacker to execute arbitrary JavaScript code in the context of the victim's browser by visiting the crafted file URL. This can lead to theft of sensitive information, session hijacking, or other actions compromising the security and privacy of the victim.

Vendor

Hliu

Product

Large Language And Vision Assistant

CWE

CWE-352

Yayın Tarihi

2025-03-20 10:15:47

Güncelleme

2025-04-07 14:54:12

Source Identifier

security@huntr.dev

KEV Date Added

Kategoriler

CWE-352 Large Language And Vision Assistant MEDIUM Hliu 2025

Referanslar

https://huntr.com/bounties/15b18b85-5a6b-43e7-bc65-6b4772871e98

Benzer Kayıtlar

Medium

CVE-2024-9308

An open redirect vulnerability in haotian-liu/llava version v1.2.0 (LLaVA-1.6) allows a remote unauthenticated attacker…

Critical

CVE-2024-9309

A Server-Side Request Forgery (SSRF) vulnerability exists in the POST /worker_generate_stream API endpoint of the Contro…

High

CVE-2024-12068

A Server-Side Request Forgery (SSRF) vulnerability was discovered in haotian-liu/llava, affecting version git c121f04. T…

High

CVE-2024-12070

A Denial of Service (DoS) vulnerability exists in the file upload feature of haotian-liu/llava, specifically in Release…

High

CVE-2024-12065

A local file inclusion vulnerability exists in haotian-liu/llava at commit c121f04. This vulnerability allows an attacke…

High

CVE-2024-11449

A vulnerability in haotian-liu/llava version 1.2.0 (LLaVA-1.6) allows for Server-Side Request Forgery (SSRF) through the…