← volver
CVE-2024-6040

Missing client_id in parisneo/lollms-webui

CVSS 4.4 MEDIUMEPSS 0.2%CWE-352
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 4.4EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
01 ago 2024Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings are susceptible to CSRF attacks and local attacks. An attacker can exploit this vulnerability to perform unauthorized actions on the victim's machine.
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Productos afectados
parisneo · parisneo/lollms

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://huntr.com/bounties/ac0bbb1d-89aa-42ba-bc48-1b59bd16acc7