CVE-2024-8489 Information

Description

A vulnerability in modelscope/agentscope specifically in the AgentScope Studio backend server allows for Cross-Site Request Forgery (CSRF) due to overly permissive CORS headers. This issue affects the latest commit on the main branch (21161fe). The vulnerability permits an attacker to access all backend endpoints including the api/file endpoint enabling the reading of arbitrary files on the target’s local file system through CSRF.

Reference

https://huntr.com/bounties/93195bf0-9ac2-4476-a2ea-7c9364727e8c