CVE-2024-9311 is a CSRF vulnerability identified in haotian-liu/llava version 1.2.0 (LLaVA-1.6). This vulnerability allows an unauthenticated attacker to upload files containing malicious JavaScript code without any user interaction or authentication. The files are stored in predictable paths on the server, which means an attacker can craft URLs pointing to these malicious files. When a victim visits such a URL, the embedded JavaScript executes in the context of the victim's browser, potentially leading to session hijacking, theft of sensitive information, or other malicious actions compromising confidentiality and privacy. The vulnerability exploits the lack of CSRF protections on the file upload functionality, allowing cross-origin requests to perform unauthorized actions. The CVSS 3.0 base score is 6.1, reflecting medium severity due to network attack vector, no privileges required, but requiring user interaction. The vulnerability affects all unspecified versions of haotian-liu/llava, and no patches or known exploits are currently published. The predictable storage path of uploaded files increases the risk by simplifying exploitation. This vulnerability falls under CWE-352, which covers CSRF issues where state-changing requests can be forged by attackers.

For European organizations using haotian-liu/llava, this vulnerability poses a significant risk to client-side security and user privacy. Attackers can exploit this flaw to execute arbitrary JavaScript in users' browsers, potentially leading to session hijacking, unauthorized access to sensitive data, and compromise of user accounts. This can result in data breaches, loss of trust, and regulatory non-compliance under GDPR due to exposure of personal data. Since the attack requires victims to visit malicious URLs, phishing campaigns or malicious links could be used to trigger exploitation. The predictable file storage path increases the likelihood of successful attacks. Organizations relying on this software for AI or machine learning workloads that involve user interaction or web interfaces are particularly at risk. The medium severity score indicates a moderate but actionable threat that should be addressed promptly to avoid escalation.

1. Implement CSRF protections such as anti-CSRF tokens on all state-changing endpoints, especially file upload functionality. 2. Restrict file upload permissions and validate file types and contents rigorously to prevent malicious scripts. 3. Use unpredictable, randomized file storage paths or filenames to reduce the risk of attackers guessing URLs. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 5. Educate users to avoid clicking on suspicious links and implement email filtering to reduce phishing risks. 6. Monitor web server logs for unusual file uploads or access patterns indicating exploitation attempts. 7. Apply the latest patches or updates from the vendor once available. 8. If immediate patching is not possible, consider isolating the vulnerable service or restricting access to trusted networks. 9. Conduct regular security assessments and penetration testing focusing on CSRF and file upload vectors. 10. Implement multi-factor authentication to reduce the impact of session hijacking if it occurs.