Cross-Site Scripting Flaw in Open-WebUI by Open-WebUI Team
CVE-2024-8017
9CRITICAL
Summary
A Cross-Site Scripting flaw has been identified in Open-WebUI versions up to 0.3.8 that affects the construction of HTML for tooltips. This vulnerability enables attackers to execute malicious scripts in the context of a victim's session, potentially allowing them to compromise user accounts by stealing chat histories, deleting chats, and escalating their privileges to administrative levels if the compromised user has admin rights. Immediate action is advised to mitigate the risk associated with this vulnerability.
Affected Version(s)
open-webui/open-webui <= unspecified
References
CVSS V3.0
Score:
9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved