Lucene search

@huntr_aiCVE-2024-2299

HistoryMay 14, 2024 - 3:18 p.m.

CVE-2024-2299

2024-05-1415:18:47

CWE-79

@huntr_ai

web.nvd.nist.gov

xss vulnerability

parisneo/lollms-webui

profile picture upload

remote exploit

csrf

unauthorized access

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

AI Score

5.5

Confidence

High

EPSS

Percentile

9.0%

JSON

A stored Cross-Site Scripting (XSS) vulnerability exists in the parisneo/lollms-webui application due to improper validation of uploaded files in the profile picture upload functionality. Attackers can exploit this vulnerability by uploading malicious HTML files containing JavaScript code, which is executed when the file is accessed. This vulnerability is remotely exploitable via Cross-Site Request Forgery (CSRF), allowing attackers to perform actions on behalf of authenticated users and potentially leading to unauthorized access to sensitive information within the Lollms-webui application.

CNA Affected

[
  {
    "vendor": "parisneo",
    "product": "parisneo/lollms-webui",
    "versions": [
      {
        "version": "unspecified",
        "status": "affected",
        "versionType": "custom",
        "lessThanOrEqual": "latest"
      }
    ]
  }
]

References

huntr.com/bounties/f1adaac0-b9ed-4093-a0f3-2d0a4ecba398

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

AI Score

5.5

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for CVE-2024-2299