CVE-2024-9311

MEDIUM

haotian-liu/llava v1.2.0 - Unauthenticated Cross-Site Request Forgery and Arbitrary File Upload

Title source: llm

Description

A Cross-Site Request Forgery (CSRF) vulnerability in haotian-liu/llava v1.2.0 (LLaVA-1.6) allows an attacker to upload files with malicious content without authentication or user interaction. The uploaded file is stored in a predictable path, enabling the attacker to execute arbitrary JavaScript code in the context of the victim's browser by visiting the crafted file URL. This can lead to theft of sensitive information, session hijacking, or other actions compromising the security and privacy of the victim.

References (1)

Core 1

Core References

Exploit, Third Party Advisory

https://huntr.com/bounties/15b18b85-5a6b-43e7-bc65-6b4772871e98

Scores

CVSS v3 6.1

EPSS 0.0020

EPSS Percentile 9.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-352

Status published

Products (1)

hliu/large_language_and_vision_assistant 1.2.0

Published Mar 20, 2025

Tracked Since Feb 18, 2026