CRITICAL🇵🇱 Wersja polska

CVE-2024-8487

CVSS 9.8v3.1pub. 2025-03-20upd. 2025-04-01

A Cross-Origin Resource Sharing (CORS) vulnerability exists in modelscope/agentscope version v0.0.4. The CORS configuration on the agentscope server does not properly restrict access to only trusted origins, allowing any external domain to make requests to the API. This can lead to unauthorized data access, information disclosure, and potential further exploitation, thereby compromising the integrity and confidentiality of the system.

🤖 AI Analysis
How it works

The AgentScope server does not implement proper CORS policy — the configuration does not restrict access exclusively to trusted domains (CWE-346: Origin Validation Error). As a result, a malicious website visited by a user can send cross-origin requests to the AgentScope API on their behalf. The victim's browser includes authenticating headers or cookies with these requests, allowing the attacker to interact with the API with the permissions of the logged-in user.

Impact

An attacker can gain unauthorized access to data processed by the API, lead to disclosure of sensitive information, and potentially conduct further attacks compromising system integrity and confidentiality.

Mitigation & patch

Apply patches available from the vendor according to references. Additionally, it is recommended to manually implement a restrictive CORS policy on the AgentScope server, limiting allowed 'Access-Control-Allow-Origin' headers exclusively to trusted domains.

Who is affected

Modelscope AgentScope version v0.0.4

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Modelscope Agentscope

    APP
    Modelscope
    0.0.4
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-8537CRITICAL9.1PL ✓ten sam produkt

Path traversal umożliwiający usunięcie dowolnych plików w AgentScope

CVE-2024-8551CRITICAL9.1PL ✓ten sam produkt

Path traversal w AgentScope umożliwia odczyt i zapis plików JSON

CVE-2024-48050CRITICAL9.8PL ✓ten sam produkt

RCE przez niezabezpieczone eval() w Modelscope AgentScope

CVE-2024-8524HIGH7.5ten sam produkt

A directory traversal vulnerability exists in modelscope/agentscope version 0.0.4. An attacker can exploit thi...

CVE-2024-8501HIGH8.8ten sam produkt

An arbitrary file download vulnerability exists in the rpc_agent_client component of modelscope/agentscope ver...