Cross-Site Scripting and Open Redirect Vulnerabilities in Lollms-Webui by Parisneo
CVE-2024-5125

7.3HIGH

Key Information:

Vendor

Parisneo

Status
Parisneo/lollms-webui
Vendor
CVE Published:
14 November 2024

What is CVE-2024-5125?

The Lollms-Webui application version 9.6 is affected by critical vulnerabilities that allow Cross-Site Scripting (XSS) and Open Redirect attacks. Inadequate input validation during the upload of SVG files enables attackers to inject malicious JavaScript, which can be executed when the SVG content is rendered in a user's browser. This exploitation poses serious risks, including credential theft and unauthorized data access. Additionally, the Open Redirect flaw results from insufficient validation of URLs within the SVG files, permitting attackers to redirect unsuspecting users to fraudulent sites, increasing the threat of phishing attacks and malware distribution. These vulnerabilities are linked to the application's file-sending functionality to the AI module, highlighting the need for immediate remediation.

Affected Version(s)

parisneo/lollms-webui < 9.8

References

https://huntr.com/bounties/e6ae8cfd-9f8b-41df-a0cc-1e7a47...
https://github.com/parisneo/lollms-webui/commit/9b0f6c4ad...

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

CVSS V3.0

Score:
7.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

JSON
.