← Back

CVE-2024-11045

nvd nist
Published: Mar 20, 2025Modified: Aug 5, 2025

JSON object

Loading...
9.6
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 6.0
Source: security@huntr.dev (Secondary)

Description

A Cross-Site WebSocket Hijacking (CSWSH) vulnerability in automatic1111/stable-diffusion-webui version 1.10.0 allows an attacker to clone a malicious server extension from a GitHub repository. The vulnerability arises from the lack of proper validation on WebSocket connections at ws://127.0.0.1:7860/queue/join, enabling unauthorized actions on the server. This can lead to unauthorized cloning of server extensions, execution of malicious scripts, data exfiltration, and potential denial of service (DoS).

Affected (1)

Automatic1111
1 product
Stable Diffusion Webui
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Stable Diffusion Webui
Version 1.10.0

Related CWEs

CWE-284
Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-346
Origin Validation Error
The product does not properly verify that the source of data or communication is valid.

References (1)

Source: security@huntr.dev
ExploitThird Party Advisory

Timeline

No history available yet.