CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Vulnrichment•added 2025/03/20 10:10 a.m.•6 views

CVE-2024-7035 Cross-Site Request Forgery (CSRF) in open-webui/open-webui

6.9CVSS6.8AI score0.00234EPSS

CVE•added 2025/03/20 10:10 a.m.•73 views

CVE-2024-7035

The CVE-2024-7035 issue affects open-webui/open-webui (v0.3.8). The underlying problem is CSRF because sensitive actions (delete/reset) are invoked via GET requests. Affected endpoints include /rag/api/v1/reset, /rag/api/v1/reset/db, /api/v1/memories/reset, and /rag/api/v1/reset/uploads, impactin...

6.9CVSS6.8AI score0.00234EPSS

Cvelist•added 2025/03/20 10:10 a.m.•11 views

CVE-2024-12375 Local File Inclusion in automatic1111/stable-diffusion-webui

A local file inclusion vulnerability was identified in automatic1111/stable-diffusion-webui, affecting version git 82a973c. This vulnerability allows an attacker to read arbitrary files on the system by sending a specially crafted request to the application...

6.5CVSS0.00772EPSS

CVE•added 2025/03/20 10:10 a.m.•46 views

CVE-2024-12375

The CVE-2024-12375 entry concerns a Local File Inclusion in automatic1111/stable-diffusion-webui, affecting the git version 82a973c. The vulnerability enables an attacker to read arbitrary files on the host by sending a specially crafted request to the application. The CVSS base score is 6.5 (Med...

6.5CVSS6.3AI score0.00772EPSS

7.5CVSS7.5AI score0.00799EPSS

CVE-2024-7036 Denial of Service in open-webui/open-webui

A vulnerability in open-webui/open-webui v0.3.8 allows an unauthenticated attacker to sign up with excessively large text in the 'name' field, causing the Admin panel to become unresponsive. This prevents administrators from performing essential user management actions such as deleting, editing, ...

Cvelist•added 2025/03/20 10:9 a.m.•9 views

CVE-2024-7036 Denial of Service in open-webui/open-webui

7.5CVSS0.00799EPSS

CVE•added 2025/03/20 10:9 a.m.•48 views

CVE-2024-7036

Affected software: open-webui/open-webui v0.3.8. Vulnerability: denial of service via an excessively long name field during signup, causing the Admin panel to become unresponsive. Impact: prevents admin user management actions (delete/edit/add users); can be exploited by unauthenticated users or ...

7.5CVSS7.4AI score0.00799EPSS

8.4CVSS8.4AI score0.00297EPSS

CVE-2024-9919 Missing Authentication Check in parisneo/lollms-webui

A missing authentication check in the uninstall endpoint of parisneo/lollms-webui V13 allows attackers to perform unauthorized directory deletions. The /uninstall/appname API endpoint does not call the checkaccess function to verify the clientid, enabling attackers to delete directories without...

Cvelist•added 2025/03/20 10:9 a.m.•12 views

CVE-2024-9919 Missing Authentication Check in parisneo/lollms-webui

8.4CVSS0.00297EPSS

6.5CVSS7.3AI score0.01125EPSS

CVE-2024-7033 Arbitrary File Write in open-webui/open-webui

In version 0.3.8 of open-webui/open-webui, an arbitrary file write vulnerability exists in the downloadmodel endpoint. When deployed on Windows, the application improperly handles file paths, allowing an attacker to manipulate the file path to write files to arbitrary locations on the server's...

Cvelist•added 2025/03/20 10:9 a.m.•11 views

CVE-2024-7033 Arbitrary File Write in open-webui/open-webui

6.5CVSS0.01125EPSS

CVE•added 2025/03/20 10:9 a.m.•53 views

CVE-2024-7033

Open WebUI (open-webui/open-webui) version 0.3.8 contains an arbitrary file Write vulnerability in the download_model endpoint, exploitable on Windows due to improper file-path handling. An attacker can manipulate the target path to write files to arbitrary locations on the server filesystem, pot...

7.2CVSS8.3AI score0.01125EPSS

CVE•added 2025/03/20 10:9 a.m.•48 views

CVE-2024-10935

CVE-2024-10935 concerns automatic1111/stable-diffusion-webui v1.10.0. The issue arises when the server fails to handle excessive characters at the end of multipart boundaries, allowing malformed multipart requests to trigger excessive resource consumption and a complete DoS. The vulnerability is ...

7.5CVSS7AI score0.00765EPSS

Cvelist•added 2025/03/20 10:9 a.m.•10 views

CVE-2024-10935 Unauthenticated DoS via Multipart Boundary in automatic1111/stable-diffusion-webui

automatic1111/stable-diffusion-webui version 1.10.0 contains a vulnerability where the server fails to handle excessive characters appended to the end of multipart boundaries. This flaw can be exploited by sending malformed multipart requests with arbitrary characters at the end of the boundary,...

7.5CVSS0.00765EPSS

4.9CVSS5.2AI score0.00562EPSS

CVE-2024-7040 Improper Access Control in open-webui/open-webui

In version v0.3.8 of open-webui/open-webui, there is an improper access control vulnerability. On the frontend admin page, administrators are intended to view only the chats of non-admin members. However, by modifying the userid parameter, it is possible to view the chats of any administrator,...

4.4CVSS4.7AI score0.00311EPSS

CVE-2024-7058 Relative Path Traversal in parisneo/lollms-webui

A vulnerability in the sanitizepath function in parisneo/lollms-webui v10 - latest allows an attacker to bypass path sanitization by using relative paths such as './'. This can lead to unauthorized access to directories within the personalityfolder on the victim's computer...

Cvelist•added 2025/03/20 10:9 a.m.•12 views

CVE-2024-7040 Improper Access Control in open-webui/open-webui

4.9CVSS0.00562EPSS

Cvelist•added 2025/03/20 10:9 a.m.•10 views

CVE-2024-7058 Relative Path Traversal in parisneo/lollms-webui

4.4CVSS0.00311EPSS

CVE•added 2025/03/20 10:9 a.m.•48 views

CVE-2024-7040

CVE-2024-7040 affects open-webui/open-webui v0.3.8, where an improper access-control flaw on the frontend admin page lets an admin view chats of other admins by tampering the user_id parameter. Root cause: insufficient authorization checks on admin chats. Affected component is the admin chat view...

4.9CVSS5.2AI score0.00562EPSS