Stored XSS Vulnerability in Parisneo's Lollms-webui Application
CVE-2024-2299

7.4HIGH

Key Information:

Vendor: Parisneo
Status: Parisneo/lollms-webui
Vendor: CVE Published:; 14 May 2024

What is CVE-2024-2299?

The Lollms-WebUI application developed by Parisneo has a stored Cross-Site Scripting (XSS) vulnerability resulting from inadequate validation of uploaded files in the profile picture upload feature. This flaw allows attackers to upload malicious HTML files embedded with JavaScript code. When these files are accessed, the harmful scripts are executed in the context of the application. This vulnerability can be exploited remotely through Cross-Site Request Forgery (CSRF), enabling attackers to conduct actions on behalf of authenticated users and potentially gain unauthorized access to sensitive data stored within the Lollms-WebUI application.

Affected Version(s)

parisneo/lollms-webui <= unspecified

References

https://huntr.com/bounties/f1adaac0-b9ed-4093-a0f3-2d0a4e...

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2024
Vulnerability Reserved
Mar 7, 2024