CVE-2024-9901 - Vulnerability Details

** REJECT ** DO NOT USE THIS CVE ID NUMBER. The Rejected CVE Record is a duplicate of CVE-2024-48057. Notes: All CVE users should reference CVE-2024-48057 instead of this CVE Record. All references and descriptions in this candidate have been removed to prevent accidental usage.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2025-6857	REJECT DO NOT USE THIS CVE ID NUMBER. The Rejected CVE Record is a duplicate of CVE-2024-48057. Notes: All CVE users should reference CVE-2024-48057 instead of this CVE Record. All references and descriptions in this candidate have been removed to prevent accidental usage.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

No reference.

History

Tue, 15 Apr 2025 16:15:00 +0000

Type	Values Removed	Values Added
Title	Storage XSS and CSRF Vulnerability in mudler/localai
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 15 Apr 2025 16:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-79
References	https://github.com/mudler/localai/commit/a1634b219a4e52813e70ff07e6376a01449c4515 https://huntr.com/bounties/31332c23-ea89-4176-ba57-388cf6008945
Metrics	cvssV3_0 `{'score': 3.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N'}`

Tue, 15 Apr 2025 16:00:00 +0000

Type	Values Removed	Values Added
Description	LocalAI version v2.19.4 (af0545834fd565ab56af0b9348550ca9c3cb5349) contains a vulnerability where the delete model API improperly neutralizes input during web page generation, leading to a one-time storage cross-site scripting (XSS) vulnerability. This vulnerability allows an attacker to store a malicious payload that executes when a user accesses the homepage. Additionally, the presence of cross-site request forgery (CSRF) can enable automated malicious requests.	REJECT DO NOT USE THIS CVE ID NUMBER. The Rejected CVE Record is a duplicate of CVE-2024-48057. Notes: All CVE users should reference CVE-2024-48057 instead of this CVE Record. All references and descriptions in this candidate have been removed to prevent accidental usage.

Thu, 20 Mar 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 20 Mar 2025 10:15:00 +0000

Type	Values Removed	Values Added
Description		LocalAI version v2.19.4 (af0545834fd565ab56af0b9348550ca9c3cb5349) contains a vulnerability where the delete model API improperly neutralizes input during web page generation, leading to a one-time storage cross-site scripting (XSS) vulnerability. This vulnerability allows an attacker to store a malicious payload that executes when a user accesses the homepage. Additionally, the presence of cross-site request forgery (CSRF) can enable automated malicious requests.
Title		Storage XSS and CSRF Vulnerability in mudler/localai
Weaknesses		CWE-79
References		https://github.com/mudler/localai/commit/a1634b219a4e52813e70ff07e6376a01449c4515 https://huntr.com/bounties/31332c23-ea89-4176-ba57-388cf6008945
Metrics		cvssV3_0 `{'score': 3.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: REJECTED

Assigner: @huntr_ai

Published: 2025-03-20T10:11:01.980Z

Updated: 2025-04-15T15:52:50.485Z

Reserved: 2024-10-12T01:09:41.237Z

Link: CVE-2024-9901

Vulnrichment

Updated:

NVD

Status : Rejected

Published: 2025-03-20T10:15:50.540

Modified: 2025-04-15T16:15:47.657

Link: CVE-2024-9901

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

No weakness.

Metrics

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object