2982 matches found
CVE-2024-7046
CVE-2024-7046 affects open-webui/open-webui v0.3.8. It is an improper access-control vulnerability that allows an attacker to view the first admin (owner) details by directly calling /api/v1/auths/admin/details without verifying admin privileges. The issue is demonstrated by public PoCs (e.g., a ...
CVE-2024-7046 Improper Access Control in open-webui/open-webui
An improper access control vulnerability in open-webui/open-webui v0.3.8 allows an attacker to view admin details. The application does not verify whether the attacker is an administrator, allowing the attacker to directly call the /api/v1/auths/admin/details interface to retrieve the first admin...
CVE-2024-7046 Improper Access Control in open-webui/open-webui
An improper access control vulnerability in open-webui/open-webui v0.3.8 allows an attacker to view admin details. The application does not verify whether the attacker is an administrator, allowing the attacker to directly call the /api/v1/auths/admin/details interface to retrieve the first admin...
CVE-2024-10047
CVE-2024-10047 affects parisneo/lollms-webui, versions from v9.9 to the latest. The issue is a directory listing vulnerability exposed via the /open_file endpoint, allowing an attacker to enumerate arbitrary directories on a Windows system. The vulnerability details across connected sources confi...
CVE-2024-10047 Directory Listing Vulnerability in parisneo/lollms-webui
parisneo/lollms-webui versions v9.9 to the latest are vulnerable to a directory listing vulnerability. An attacker can list arbitrary directories on a Windows system by sending a specially crafted HTTP request to the /openfile endpoint...
CVE-2024-10047 Directory Listing Vulnerability in parisneo/lollms-webui
parisneo/lollms-webui versions v9.9 to the latest are vulnerable to a directory listing vulnerability. An attacker can list arbitrary directories on a Windows system by sending a specially crafted HTTP request to the /openfile endpoint...
CVE-2024-11044 Open Redirect in automatic1111/stable-diffusion-webui
An open redirect vulnerability in automatic1111/stable-diffusion-webui version 1.10.0 allows a remote unauthenticated attacker to redirect users to arbitrary websites via a specially crafted URL. This vulnerability can be exploited to conduct phishing attacks, distribute malware, and steal user...
CVE-2024-11044 Open Redirect in automatic1111/stable-diffusion-webui
An open redirect vulnerability in automatic1111/stable-diffusion-webui version 1.10.0 allows a remote unauthenticated attacker to redirect users to arbitrary websites via a specially crafted URL. This vulnerability can be exploited to conduct phishing attacks, distribute malware, and steal user...
CVE-2024-11044
CVE-2024-11044 is an open redirect vulnerability in automatic1111/stable-diffusion-webui 1.10.0. The issue allows unauthenticated remote attackers to redirect users to attacker-controlled sites via the file parameter in the /file= endpoint, enabling phishing, malware distribution, and credential ...
CVE-2024-7999
...
CVE-2024-7999
...
CVE-2024-7999
CVE-2024-7999 is rejected/not used; refer to CVE-2024-53981.
CVE-2024-8581 Path Traversal in parisneo/lollms-webui
A vulnerability in the uploadapp function of parisneo/lollms-webui V12 Strawberry allows an attacker to delete any file or directory on the system. The function does not implement user input filtering with the filename value, causing a Path Traversal error...
CVE-2024-8581 Path Traversal in parisneo/lollms-webui
A vulnerability in the uploadapp function of parisneo/lollms-webui V12 Strawberry allows an attacker to delete any file or directory on the system. The function does not implement user input filtering with the filename value, causing a Path Traversal error...
CVE-2024-8581
CVE-2024-8581 concerns parisneo/lollms-webui, version V12 (Strawberry). The vulnerability is in the upload_app function where unsanitized filename input enables Path Traversal, allowing an attacker to delete arbitrary files or directories on the host. Root cause: lack of user input filtering for ...
CVE-2024-12537 Unauthenticated Denial of Service in open-webui/open-webui
In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker to access the api/v1/utils/code/format endpoint. If a malicious actor sends a POST request with an excessively high volume of content, the server could become completely...
CVE-2024-12537 Unauthenticated Denial of Service in open-webui/open-webui
In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker to access the api/v1/utils/code/format endpoint. If a malicious actor sends a POST request with an excessively high volume of content, the server could become completely...
CVE-2024-9840
...
CVE-2024-9840
...
CVE-2024-9840
CVE-2024-9840 is a duplicate of CVE-2024-53981 (per the initial description). Connected data confirms CVE-2024-53981 describes a vulnerability in python-multipart (a streaming multipart parser) with a DoS risk when parsing form data; fixed in version 0.0.18. There is no separate active entry for ...