CSRF and Local Attack Vulnerabilities in parisneo's Lollms Web UI
CVE-2024-6040

8.8HIGH

Key Information:

Vendor

Parisneo

Status
Parisneo/lollms
Vendor
CVE Published:
1 August 2024

What is CVE-2024-6040?

The Lollms Web UI version 9.8 by parisneo is vulnerable due to the absence of the client_id parameter in its binding information. This oversight presents multiple security risks, enabling endpoints such as /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings to be exploited. Attackers can initiate unauthorized actions on the victim's machine, compromising the user's interaction with the application.

Affected Version(s)

parisneo/lollms <= unspecified

References

https://huntr.com/bounties/ac0bbb1d-89aa-42ba-bc48-1b59bd...

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

CVSS V3.0

Score:
4.4
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

JSON
.