Access Control Vulnerability in Parisneo Lollms Module
CVE-2024-11302
8HIGH
Summary
A serious access control issue within the lollms_binding_infos module of the Parisneo Lollms version V14 allows attackers to perform unauthorized actions. This vulnerability results from a missing check_access() function, particularly affecting the /install_binding and /reinstall_binding endpoints. As a consequence, malicious actors can arbitrarily add, modify, and remove binding settings without needing the client_id value, which raises significant security concerns.
Affected Version(s)
parisneo/lollms <= unspecified
References
CVSS V3.0
Score:
8
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved