Cross-Site Scripting Flaw in Open-WebUI by Open-WebUI Team
CVE-2024-8017

9CRITICAL

Key Information:

Vendor: Open-webui
Status: Open-webui/open-webui
Vendor: CVE Published:; 20 March 2025

What is CVE-2024-8017?

A Cross-Site Scripting flaw has been identified in Open-WebUI versions up to 0.3.8 that affects the construction of HTML for tooltips. This vulnerability enables attackers to execute malicious scripts in the context of a victim's session, potentially allowing them to compromise user accounts by stealing chat histories, deleting chats, and escalating their privileges to administrative levels if the compromised user has admin rights. Immediate action is advised to mitigate the risk associated with this vulnerability.

Affected Version(s)

open-webui/open-webui <= unspecified

References

https://huntr.com/bounties/ef06c7c8-1cb2-42a7-a6e6-17b2e1...

CVSS V3.0

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Aug 20, 2024

Open-webui

What is CVE-2024-8017?

Affected Version(s)

References

CVSS V3.0

Timeline