CVE-2024-6673 Information

Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in the install_comfyui endpoint of the lollms_comfyui.py file in the parisneo/lollms-webui repository versions v9.9 to the latest. The endpoint uses the GET method without requiring a client ID allowing an attacker to trick a victim into installing ComfyUI. If the victim’s device does not have sufficient capacity this can result in a crash.

Reference

https://huntr.com/bounties/a38f9a7d-b357-427d-adac-f9654d8c0e3c https://github.com/parisneo/lollms-webui/commit/c1bb1ad19752aa7541675b398495eaf98fd589f1