Parisneo Lollms-Webui Vulnerability Leads to Denial of Service and Remote Exploitation
CVE-2024-6959

7.1HIGH

Key Information:

Vendor: Parisneo
Status: Parisneo/lollms-webui
Vendor: CVE Published:; 13 October 2024

What is CVE-2024-6959?

A Denial of Service (DoS) vulnerability exists in version 9.8 of lollms-webui from Parisneo that can be triggered through the upload of an audio file with an excessive number of characters appended to the multipart boundary. This manipulation leads to continuous processing by the system, making lollms-webui unavailable to users. The absence of Cross-Site Request Forgery (CSRF) protection further complicates this issue, allowing attackers to exploit the flaw remotely. The result is significant service disruption and resource depletion, which can lead to prolonged downtime and negatively impact the availability of the service.

Affected Version(s)

parisneo/lollms-webui <= unspecified

References

https://huntr.com/bounties/6394d32e-f35c-418a-95b8-e7254e...

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 13, 2024
Vulnerability Reserved
Jul 20, 2024