Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Langfuse SSO Account Takeover via CSRF or phishing attack
Vulnerability Description
Langfuse is an open source large language model engineering platform. In versions from 2.95.0 to before 2.95.12 and from 3.17.0 to before 3.131.0, in SSO provider configurations without an explicit AUTH_<PROVIDER>_CHECK setting, a potential account takeover may happen if an authenticated user is made to call a specifically crafted URL via a CSRF or phishing attack. This issue has been patched in versions 2.95.12 and 3.131.0. A workaround for this issue involves setting AUTH_<PROVIDER>_CHECK.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Vulnerability Type
跨站请求伪造(CSRF)
Vulnerability Title
langfuse 跨站请求伪造漏洞
Vulnerability Description
langfuse是Langfuse开源的一个大语言模型工程平台。 langfuse 2.95.0版本至2.95.12之前版本和3.17.0版本至3.131.0之前版本存在跨站请求伪造漏洞,该漏洞源于SSO配置不当,可能导致账户接管。
CVSS Information
N/A
Vulnerability Type
N/A