Access Control Vulnerability in Parisneo Lollms Module
CVE-2024-11302

8HIGH

Key Information:

Vendor: Parisneo
Status: Parisneo/lollms
Vendor: CVE Published:; 20 March 2025

What is CVE-2024-11302?

A serious access control issue within the lollms_binding_infos module of the Parisneo Lollms version V14 allows attackers to perform unauthorized actions. This vulnerability results from a missing check_access() function, particularly affecting the /install_binding and /reinstall_binding endpoints. As a consequence, malicious actors can arbitrarily add, modify, and remove binding settings without needing the client_id value, which raises significant security concerns.

Affected Version(s)

parisneo/lollms <= unspecified

References

https://huntr.com/bounties/e341304b-4651-4de9-b7b9-b89aea...

CVSS V3.0

Score:

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Nov 16, 2024