CSRF and Local Attack Vulnerabilities in parisneo's Lollms Web UI
CVE-2024-6040

8.8HIGH

Key Information:

Vendor: parisneo
Status: Lollms Web UI
Vendor: CVE Published:; 1 August 2024

What is CVE-2024-6040?

The Lollms Web UI version 9.8 by parisneo is vulnerable due to the absence of the client_id parameter in its binding information. This oversight presents multiple security risks, enabling endpoints such as /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings to be exploited. Attackers can initiate unauthorized actions on the victim's machine, compromising the user's interaction with the application.

References

https://huntr.com/bounties/ac0bbb1d-89aa-42ba-bc48-1b59bd...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 1, 2024