nvd-json-data-feeds/CVE-2024/CVE-2024-99xx/CVE-2024-9901.json

{
  "id": "CVE-2024-9901",
  "sourceIdentifier": "security@huntr.dev",
  "published": "2025-03-20T10:15:50.540",
  "lastModified": "2025-03-20T10:15:50.540",
  "vulnStatus": "Awaiting Analysis",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "LocalAI version v2.19.4 (af0545834fd565ab56af0b9348550ca9c3cb5349) contains a vulnerability where the delete model API improperly neutralizes input during web page generation, leading to a one-time storage cross-site scripting (XSS) vulnerability. This vulnerability allows an attacker to store a malicious payload that executes when a user accesses the homepage. Additionally, the presence of cross-site request forgery (CSRF) can enable automated malicious requests."
    },
    {
      "lang": "es",
      "value": "La versi\u00f3n v2.19.4 de LocalAI (af0545834fd565ab56af0b9348550ca9c3cb5349) contiene una vulnerabilidad en la que la API del modelo de eliminaci\u00f3n neutraliza incorrectamente la entrada durante la generaci\u00f3n de p\u00e1ginas web, lo que genera una vulnerabilidad de Cross-Site Scripting (XSS) de almacenamiento \u00fanico. Esta vulnerabilidad permite a un atacante almacenar un payload malicioso que se ejecuta cuando un usuario accede a la p\u00e1gina de inicio. Adem\u00e1s, la presencia de cross-site request forgery (CSRF) puede habilitar solicitudes maliciosas automatizadas."
    }
  ],
  "metrics": {
    "cvssMetricV30": [
      {
        "source": "security@huntr.dev",
        "type": "Secondary",
        "cvssData": {
          "version": "3.0",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N",
          "baseScore": 3.4,
          "baseSeverity": "LOW",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "HIGH",
          "userInteraction": "REQUIRED",
          "scope": "CHANGED",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "availabilityImpact": "NONE"
        },
        "exploitabilityScore": 1.7,
        "impactScore": 1.4
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security@huntr.dev",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/mudler/localai/commit/a1634b219a4e52813e70ff07e6376a01449c4515",
      "source": "security@huntr.dev"
    },
    {
      "url": "https://huntr.com/bounties/31332c23-ea89-4176-ba57-388cf6008945",
      "source": "security@huntr.dev"
    }
  ]
}
Auto-Update: 2025-03-20T11:00:20.508636+00:00 2025-03-20 11:03:52 +00:00			`{`
			`"id": "CVE-2024-9901",`
			`"sourceIdentifier": "security@huntr.dev",`
			`"published": "2025-03-20T10:15:50.540",`
			`"lastModified": "2025-03-20T10:15:50.540",`
Auto-Update: 2025-03-23T03:00:20.104511+00:00 2025-03-23 03:03:54 +00:00			`"vulnStatus": "Awaiting Analysis",`
Auto-Update: 2025-03-20T11:00:20.508636+00:00 2025-03-20 11:03:52 +00:00			`"cveTags": [],`
			`"descriptions": [`
			`{`
			`"lang": "en",`
			`"value": "LocalAI version v2.19.4 (af0545834fd565ab56af0b9348550ca9c3cb5349) contains a vulnerability where the delete model API improperly neutralizes input during web page generation, leading to a one-time storage cross-site scripting (XSS) vulnerability. This vulnerability allows an attacker to store a malicious payload that executes when a user accesses the homepage. Additionally, the presence of cross-site request forgery (CSRF) can enable automated malicious requests."`
Auto-Update: 2025-03-23T03:00:20.104511+00:00 2025-03-23 03:03:54 +00:00			`},`
			`{`
			`"lang": "es",`
			"value": "La versi\u00f3n v2.19.4 de LocalAI (af0545834fd565ab56af0b9348550ca9c3cb5349) contiene una vulnerabilidad en la que la API del modelo de eliminaci\u00f3n neutraliza incorrectamente la entrada durante la generaci\u00f3n de p\u00e1ginas web, lo que genera una vulnerabilidad de Cross-Site Scripting (XSS) de almacenamiento \u00fanico. Esta vulnerabilidad permite a un atacante almacenar un payload malicioso que se ejecuta cuando un usuario accede a la p\u00e1gina de inicio. Adem\u00e1s, la presencia de cross-site request forgery (CSRF) puede habilitar solicitudes maliciosas automatizadas."
Auto-Update: 2025-03-20T11:00:20.508636+00:00 2025-03-20 11:03:52 +00:00			`}`
			`],`
			`"metrics": {`
			`"cvssMetricV30": [`
			`{`
			`"source": "security@huntr.dev",`
			`"type": "Secondary",`
			`"cvssData": {`
			`"version": "3.0",`
			`"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N",`
			`"baseScore": 3.4,`
			`"baseSeverity": "LOW",`
			`"attackVector": "NETWORK",`
			`"attackComplexity": "LOW",`
			`"privilegesRequired": "HIGH",`
			`"userInteraction": "REQUIRED",`
			`"scope": "CHANGED",`
			`"confidentialityImpact": "NONE",`
			`"integrityImpact": "LOW",`
			`"availabilityImpact": "NONE"`
			`},`
			`"exploitabilityScore": 1.7,`
			`"impactScore": 1.4`
			`}`
			`]`
			`},`
			`"weaknesses": [`
			`{`
			`"source": "security@huntr.dev",`
			`"type": "Primary",`
			`"description": [`
			`{`
			`"lang": "en",`
			`"value": "CWE-79"`
			`}`
			`]`
			`}`
			`],`
			`"references": [`
			`{`
			`"url": "https://github.com/mudler/localai/commit/a1634b219a4e52813e70ff07e6376a01449c4515",`
			`"source": "security@huntr.dev"`
			`},`
			`{`
			`"url": "https://huntr.com/bounties/31332c23-ea89-4176-ba57-388cf6008945",`
			`"source": "security@huntr.dev"`
			`}`
			`]`
			`}`