Vanna AI Cross-Site Request Forgery Vulnerability Allowing Arbitrary SQL Command Execution

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Vanna AI repository, specifically in the latest commit. This vulnerability affects two endpoints in the built-in web application that handle SQL functionality, which are designed as simple GET requests. As a result, these endpoints are vulnerable to CSRF attacks. An attacker can exploit this vulnerability to execute arbitrary SQL commands via CSRF, without the target user intending to expose the web application to the network or other users. The impact of this vulnerability is limited to unauthorized data modification or deletion, as the attacker cannot access the results of the executed queries.

Impact

Exploitation of this vulnerability allows for Cross-Site Request Forgery attacks, where an attacker can manipulate SQL commands through the vulnerable endpoints. This could lead to unauthorized alteration or deletion of data within the application.