Cross-site Scripting Vulnerability in lollms-webui by parisneo
CVE-2024-6986

5.5MEDIUM

Key Information:

Vendor: Parisneo
Status: Parisneo/lollms-webui
Vendor: CVE Published:; 20 March 2025

What is CVE-2024-6986?

A Cross-site Scripting (XSS) vulnerability in the Settings page of lollms-webui version 9.8 allows attackers to inject and execute malicious JavaScript code. This issue originates from the improper handling of the 'v-html' directive, which directly incorporates user input from the 'System Template' field into the HTML content. By exploiting this vulnerability, attackers can manipulate and execute harmful scripts, posing significant security risks to users of the application.

Affected Version(s)

parisneo/lollms-webui <= unspecified

References

https://huntr.com/bounties/83e9bde1-40b2-49e9-be1c-bc1498...

CVSS V3.0

Score:

5.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Jul 22, 2024

Parisneo

What is CVE-2024-6986?

Affected Version(s)

References

CVSS V3.0

Timeline