x/vulndb: potential Go vuln in github.com/mudler/LocalAI: GHSA-ghx4-cgxw-7h9p

[GoVulnBot]

Advisory GHSA-ghx4-cgxw-7h9p references a vulnerability in the following Go modules:

Module
github.com/mudler/LocalAI

Description:
localai <=2.20.1 is vulnerable to Cross Site Scripting (XSS). When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the payload when a user accesses the homepage.

References:

• ADVISORY: GHSA-ghx4-cgxw-7h9p
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-48057
• WEB: https://gist.github.com/AfterSnows/1bd7ee5a3a42dbb5f5ff67f7f9c8ccec
• WEB: https://github.com/mudler/LocalAI/blob/master/core/http/views/index.html#L75
• WEB: https://rumbling-slice-eb0.notion.site/LocalAI-deleted-model-with-storage-XSS-CSRF-vulnerability-in-mudler-localai-101e3cda9e8c80e0ac12fe418d5dd982?pvs=4

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/mudler/LocalAI
      vulnerable_at: 1.40.0
summary: LocalAI Cross-site Scripting vulnerability in github.com/mudler/LocalAI
cves:
    - CVE-2024-48057
ghsas:
    - GHSA-ghx4-cgxw-7h9p
references:
    - advisory: https://github.com/advisories/GHSA-ghx4-cgxw-7h9p
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-48057
    - web: https://gist.github.com/AfterSnows/1bd7ee5a3a42dbb5f5ff67f7f9c8ccec
    - web: https://github.com/mudler/LocalAI/blob/master/core/http/views/index.html#L75
    - web: https://rumbling-slice-eb0.notion.site/LocalAI-deleted-model-with-storage-XSS-CSRF-vulnerability-in-mudler-localai-101e3cda9e8c80e0ac12fe418d5dd982?pvs=4
source:
    id: GHSA-ghx4-cgxw-7h9p
    created: 2024-11-05T16:01:34.61050075Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/625955 mentions this issue: data/reports: add 4 unreviewed reports