CVE-2024-6040

Missing client_id in parisneo/lollms-webui

CVSS 4.4 MEDIUMEPSS 0.2%CWE-352

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 4.4EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

01 Aug 2024Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings are susceptible to CSRF attacks and local attacks. An attacker can exploit this vulnerability to perform unauthorized actions on the victim's machine.

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Affected products

parisneo · parisneo/lollms

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://huntr.com/bounties/ac0bbb1d-89aa-42ba-bc48-1b59bd16acc7