CVE-2024-9311 — MEDIUM (6.1)

Vulnerability Description

A Cross-Site Request Forgery (CSRF) vulnerability in haotian-liu/llava v1.2.0 (LLaVA-1.6) allows an attacker to upload files with malicious content without authentication or user interaction. The uploaded file is stored in a predictable path, enabling the attacker to execute arbitrary JavaScript code in the context of the victim's browser by visiting the crafted file URL. This can lead to theft of sensitive information, session hijacking, or other actions compromising the security and privacy of the victim.

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Hliu	Large Language And Vision Assistant	1.2.0

Related Weaknesses (CWE)

CWE-352

References

https://huntr.com/bounties/15b18b85-5a6b-43e7-bc65-6b4772871e98ExploitThird Party Advisory

FAQ

What is CVE-2024-9311?

CVE-2024-9311 is a vulnerability with a CVSS score of 6.1 (MEDIUM). A Cross-Site Request Forgery (CSRF) vulnerability in haotian-liu/llava v1.2.0 (LLaVA-1.6) allows an attacker to upload files with malicious content without authentication or user interaction. The uplo...

How severe is CVE-2024-9311?

CVE-2024-9311 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-9311?

Check the references section above for vendor advisories and patch information. Affected products include: Hliu Large Language And Vision Assistant.