A Cross-Site Request Forgery (CSRF) vulnerability exists...
Moderate severity
Unreviewed
Published
Jul 6, 2024
to the GitHub Advisory Database
Description
Published by the National Vulnerability Database
Jul 6, 2024
Published to the GitHub Advisory Database
Jul 6, 2024
A Cross-Site Request Forgery (CSRF) vulnerability exists in mudler/LocalAI versions up to and including 2.15.0, which allows attackers to trick victims into deleting installed models. By crafting a malicious HTML page, an attacker can cause the deletion of a model, such as 'gpt-4-vision-preview', without the victim's consent. The vulnerability is due to insufficient CSRF protection mechanisms on the model deletion functionality.
References