Stored XSS Vulnerability in Parisneo's Lollms-webui Application
CVE-2024-2299

6.1MEDIUM

Key Information:

Vendor: Parisneo
Status: Parisneo/lollms-webui
Vendor: CVE Published:; 14 May 2024

What is CVE-2024-2299?

The Lollms-WebUI application developed by Parisneo has a stored Cross-Site Scripting (XSS) vulnerability resulting from inadequate validation of uploaded files in the profile picture upload feature. This flaw allows attackers to upload malicious HTML files embedded with JavaScript code. When these files are accessed, the harmful scripts are executed in the context of the application. This vulnerability can be exploited remotely through Cross-Site Request Forgery (CSRF), enabling attackers to conduct actions on behalf of authenticated users and potentially gain unauthorized access to sensitive data stored within the Lollms-WebUI application.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

parisneo/lollms-webui <= unspecified

References

https://huntr.com/bounties/f1adaac0-b9ed-4093-a0f3-2d0a4e...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
May 14, 2024
Vulnerability Reserved
Mar 7, 2024

JSON

Parisneo