Dave Lee

2 exploits Active since Jul 2024
CVE-2024-6095 WRITEUP MEDIUM WRITEUP
mudler/localai < 2.17.0 - Server-Side Request Forgery and Partial Local File Inclusion via /models/apply Endpoint
A vulnerability in the /models/apply endpoint of mudler/localai versions 2.15.0 allows for Server-Side Request Forgery (SSRF) and partial Local File Inclusion (LFI). The endpoint supports both http(s):// and file:// schemes, where the latter can lead to LFI. However, the output is limited due to the length of the error message. This vulnerability can be exploited by an attacker with network access to the LocalAI instance, potentially allowing unauthorized access to internal HTTP(s) servers and partial reading of local files. The issue is fixed in version 2.17.
CVSS 5.8
CVE-2024-9900 WRITEUP MEDIUM WRITEUP
mudler/localai < 2.22.0 - Cross-Site Scripting in Search Functionality
mudler/localai version v2.21.1 contains a Cross-Site Scripting (XSS) vulnerability in its search functionality. The vulnerability arises due to improper sanitization of user input, allowing the injection and execution of arbitrary JavaScript code. This can lead to the execution of malicious scripts in the context of the victim's browser, potentially compromising user sessions, stealing session cookies, redirecting users to malicious websites, or manipulating the DOM.
CVSS 6.1