Closed GoVulnBot closed 2 weeks ago
Advisory GHSA-ghx4-cgxw-7h9p references a vulnerability in the following Go modules:
Description: localai <=2.20.1 is vulnerable to Cross Site Scripting (XSS). When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the payload when a user accesses the homepage.
References:
No existing reports found with this module or alias. See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING modules: - module: github.com/mudler/LocalAI vulnerable_at: 1.40.0 summary: LocalAI Cross-site Scripting vulnerability in github.com/mudler/LocalAI cves: - CVE-2024-48057 ghsas: - GHSA-ghx4-cgxw-7h9p references: - advisory: https://github.com/advisories/GHSA-ghx4-cgxw-7h9p - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-48057 - web: https://gist.github.com/AfterSnows/1bd7ee5a3a42dbb5f5ff67f7f9c8ccec - web: https://github.com/mudler/LocalAI/blob/master/core/http/views/index.html#L75 - web: https://rumbling-slice-eb0.notion.site/LocalAI-deleted-model-with-storage-XSS-CSRF-vulnerability-in-mudler-localai-101e3cda9e8c80e0ac12fe418d5dd982?pvs=4 source: id: GHSA-ghx4-cgxw-7h9p created: 2024-11-05T16:01:34.61050075Z review_status: UNREVIEWED
Change https://go.dev/cl/625955 mentions this issue: data/reports: add 4 unreviewed reports
data/reports: add 4 unreviewed reports
Advisory GHSA-ghx4-cgxw-7h9p references a vulnerability in the following Go modules:
Description: localai <=2.20.1 is vulnerable to Cross Site Scripting (XSS). When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the payload when a user accesses the homepage.
References:
No existing reports found with this module or alias. See doc/quickstart.md for instructions on how to triage this report.