CSRF and Local Attack Vulnerabilities in parisneo's Lollms Web UI
CVE-2024-6040

8.8HIGH

Key Information:

Vendor

parisneo

Vendor
CVE Published:
1 August 2024

What is CVE-2024-6040?

The Lollms Web UI version 9.8 by parisneo is vulnerable due to the absence of the client_id parameter in its binding information. This oversight presents multiple security risks, enabling endpoints such as /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings to be exploited. Attackers can initiate unauthorized actions on the victim's machine, compromising the user's interaction with the application.

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

.