CSRF and Local Attack Vulnerabilities in parisneo's Lollms Web UI

CVE-2024-6040

Summary

The Lollms Web UI version 9.8 by parisneo is vulnerable due to the absence of the client_id parameter in its binding information. This oversight presents multiple security risks, enabling endpoints such as /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings to be exploited. Attackers can initiate unauthorized actions on the victim's machine, compromising the user's interaction with the application.

References