Cross-Site Scripting and Open Redirect Vulnerabilities in Lollms-Webui by Parisneo

CVE-2024-5125

Summary

The Lollms-Webui application version 9.6 is affected by critical vulnerabilities that allow Cross-Site Scripting (XSS) and Open Redirect attacks. Inadequate input validation during the upload of SVG files enables attackers to inject malicious JavaScript, which can be executed when the SVG content is rendered in a user's browser. This exploitation poses serious risks, including credential theft and unauthorized data access. Additionally, the Open Redirect flaw results from insufficient validation of URLs within the SVG files, permitting attackers to redirect unsuspecting users to fraudulent sites, increasing the threat of phishing attacks and malware distribution. These vulnerabilities are linked to the application's file-sending functionality to the AI module, highlighting the need for immediate remediation.

References