CVE-2024-11302

Missing check_access in lollms_binding_infos in parisneo/lollms

CVSS 8 HIGHEPSS 0.2%CWE-304

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

20 Mar 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

A missing check_access() function in the lollms_binding_infos module of the parisneo/lollms repository, version V14, allows attackers to add, modify, and remove bindings arbitrarily. This vulnerability affects the /install_binding and /reinstall_binding endpoints, among others, enabling unauthorized access and manipulation of binding settings without requiring the client_id value.

CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

Affected products

parisneo · parisneo/lollms

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://huntr.com/bounties/e341304b-4651-4de9-b7b9-b89aead3b46e