CVE-2024-24566

2024-01-3117:15:39

CWE-284

[email protected]

web.nvd.nist.gov

lobe chat

chatbot

framework

unauthorized access

plugins

password protection

vulnerability

patch

nvd

cve-2024-24566

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

5.1 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.0%

JSON

Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. When the application is password-protected (deployed with the ACCESS_CODE option), it is possible to access plugins without proper authorization (without password). This vulnerability is patched in 0.122.4.

Affected configurations

Vulners

NVD

Node

lobehublobe_chatRange<0.122.4

VendorProductVersionCPE
lobehublobe_chat*cpe:2.3:a:lobehub:lobe_chat:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
lobehub	lobe_chat	*	cpe:2.3:a:lobehub:lobe_chat::::::::

CNA Affected

[
  {
    "vendor": "lobehub",
    "product": "lobe-chat",
    "versions": [
      {
        "version": "< 0.122.4",
        "status": "affected"
      }
    ]
  }
]