A Cross-Site Request Forgery (CSRF) vulnerability in significant-gravitas/autogpt version v0.5.0 allows attackers to execute arbitrary commands on the AutoGPT server. The vulnerability stems from the lack of protections on the API endpoint receiving instructions, enabling an attacker to direct a user running AutoGPT in their local network to a malicious website. This site can then send crafted requests to the AutoGPT server, leading to command execution. The issue is exacerbated by CORS being enabled for arbitrary origins by default, allowing the attacker to read the response of all cross-site queries. This vulnerability was addressed in version 5.1.
Metrics
Affected Vendors & Products
References
History
Tue, 24 Sep 2024 14:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Agpt
Agpt autogpt |
|
CPEs | cpe:2.3:a:agpt:autogpt:0.5.0:*:*:*:*:*:*:* | |
Vendors & Products |
Agpt
Agpt autogpt |
|
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: @huntr_ai
Published: 2024-06-06T17:53:21.654Z
Updated: 2024-08-21T14:26:56.090Z
Reserved: 2024-02-26T02:49:34.723Z
Link: CVE-2024-1879
Vulnrichment
Updated: 2024-08-01T18:56:22.272Z
NVD
Status : Modified
Published: 2024-06-06T18:15:12.827
Modified: 2024-11-21T08:51:30.603
Link: CVE-2024-1879
Redhat
No data.