Denial of Service Vulnerability in Parisneo Lollms-Webui by Parisneo
CVE-2024-8736
6.5MEDIUM
Summary
A vulnerability exists in the Lollms-Webui application that can be exploited remotely through Cross-Site Request Forgery (CSRF) attacks. Although CSRF protection is in place to prevent unauthorized file uploads, the application still processes multipart boundaries incorrectly. This flaw allows attackers to append excessive characters to multipart boundaries in requests, causing the server to ineffeciently parse each byte, leading to resource exhaustion and, ultimately, service unavailability. The vulnerability affects multiple file upload endpoints including /upload_avatar, /upload_app, and /upload_logo.
Affected Version(s)
parisneo/lollms-webui <= unspecified
References
CVSS V3.1
Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged
CVSS V3.0
Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved