CVE-2024-1646

CVE-2024-1646 affects parisneo/lollms-webui. The vulnerability is an authentication bypass caused by insufficient protection over sensitive endpoints; the app only checks that the host parameter is not '0.0.0.0', which is inadequate when bound to a specific interface. This allows unauthorized acc...

CVE-2024-1569

parisneo/lollms-webui is vulnerable to denial of service through uncontrolled resource consumption. An attacker can trigger repeated unauthenticated POST requests at /open_code_in_vs_code and similar endpoints to repeatedly open VS Code or the default folder opener, exhausting system resources an...

CVE-2024-1601

CVE-2024-1601 affects parisneo/lollms-webui; an SQL injection exists in delete_discussion() exploitable via a crafted POST to /delete_discussion with a malicious id parameter, allowing deletion of all records in the discussion and message tables. Impact is data loss; reports indicate this can be ...

CVE-2024-1646 Authentication Bypass in parisneo/lollms-webui

parisneo/lollms-webui is vulnerable to authentication bypass due to insufficient protection over sensitive endpoints. The application checks if the host parameter is not '0.0.0.0' to restrict access, which is inadequate when the application is bound to a specific interface, allowing unauthorized...

CVE-2024-1569 Uncontrolled Resource Consumption in parisneo/lollms-webui

parisneo/lollms-webui is vulnerable to a denial of service DoS attack due to uncontrolled resource consumption. Attackers can exploit the /opencodeinvscode and similar endpoints without authentication by sending repeated HTTP POST requests, leading to the opening of Visual Studio Code or the...

Open WebUI 安全漏洞

Open WebUI is an extensible, feature-rich, user-friendly self-hosted WebUI from Open WebUI Open Source. A security vulnerability exists in Open WebUI versions prior to 0.1.117, which stems from vulnerability to authenticated blind server-side request forgery attacks...

chromium -- multiple security fixes

Chrome Releases reports: This update includes 23 security fixes: 331358160 High CVE-2024-3832: Object corruption in V8. Reported by Man Yue Mo of GitHub Security Lab on 2024-03-27 331383939 High CVE-2024-3833: Object corruption in WebAssembly. Reported by Man Yue Mo of GitHub Security Lab on...

Google Chrome < 124.0.6367.60 Multiple Vulnerabilities

The version of Google Chrome installed on the remote Windows host is prior to 124.0.6367.60. It is, therefore, affected by multiple vulnerabilities as referenced in the 202404stable-channel-update-for-desktop16 advisory. - Use after free in QUIC in Google Chrome prior to 124.0.6367.60 allowed a...

CVE-2024-3737

A vulnerability was found in cym1102 nginxWebUI up to 3.9.9. It has been rated as critical. Affected by this issue is the function findCountByQuery of the file /adminPage/www/addOver. The manipulation of the argument dir leads to path traversal. The attack may be launched remotely. The exploit ha...

nginxWebUI 代码问题漏洞

nginxWebUI is a nginx web configuration tool. cym1102 A code issue vulnerability exists in nginxWebUI version 3.9.9, which stems from an unrestricted file upload in the upload method of the /adminPage/main/upload file...

CVE-2024-31462 Limited file write in Stable-diffusion-webui - GHSL-2024-010

stable-diffusion-webui is a web interface for Stable Diffusion, implemented using Gradio library. Stable-diffusion-webui 1.7.0 is vulnerable to a limited file write affecting Windows systems. The createui method Backup/Restore tab in modules/uiextensions.py takes user input into the configsavenam...

CVE-2024-31462 Limited file write in Stable-diffusion-webui - GHSL-2024-010

stable-diffusion-webui is a web interface for Stable Diffusion, implemented using Gradio library. Stable-diffusion-webui 1.7.0 is vulnerable to a limited file write affecting Windows systems. The createui method Backup/Restore tab in modules/uiextensions.py takes user input into the configsavenam...

PT-2024-24093 · Unknown · Stable-Diffusion-Webui

Name of the Vulnerable Software and Affected Versions: stable-diffusion-webui version 1.7.0 Description: The issue is related to a limited file write affecting Windows systems. It occurs in the create ui method Backup/Restore tab in modules/ui extensions.py, where user input is taken into the...

CVE-2024-1600

A Local File Inclusion LFI vulnerability exists in the parisneo/lollms-webui application, specifically within the /personalities route. An attacker can exploit this vulnerability by crafting a URL that includes directory traversal sequences ../../ followed by the desired system file path, URL...

CVE-2024-1511

The parisneo/lollms-webui repository is susceptible to a path traversal vulnerability due to inadequate validation of user-supplied file paths. This flaw allows an unauthenticated attacker to read, write, and in certain configurations execute arbitrary files on the server by exploiting various...

CVE-2024-1520

An OS Command Injection vulnerability exists in the '/opencodefolder' endpoint of the parisneo/lollms-webui application, due to improper validation of user-supplied input in the 'discussionid' parameter. Attackers can exploit this vulnerability by injecting malicious OS commands, leading to...

CVE-2024-1520

An OS Command Injection vulnerability exists in the '/opencodefolder' endpoint of the parisneo/lollms-webui application, due to improper validation of user-supplied input in the 'discussionid' parameter. Attackers can exploit this vulnerability by injecting malicious OS commands, leading to...

CVE-2024-1511

The parisneo/lollms-webui repository is susceptible to a path traversal vulnerability due to inadequate validation of user-supplied file paths. This flaw allows an unauthenticated attacker to read, write, and in certain configurations execute arbitrary files on the server by exploiting various...

CVE-2024-1602 Stored XSS leading to RCE in parisneo/lollms-webui

parisneo/lollms-webui is vulnerable to stored Cross-Site Scripting XSS that leads to Remote Code Execution RCE. The vulnerability arises due to inadequate sanitization and validation of model output data, allowing an attacker to inject malicious JavaScript code. This code can be executed within t...

CVE-2024-1520 OS Command Injection in parisneo/lollms-webui

An OS Command Injection vulnerability exists in the '/opencodefolder' endpoint of the parisneo/lollms-webui application, due to improper validation of user-supplied input in the 'discussionid' parameter. Attackers can exploit this vulnerability by injecting malicious OS commands, leading to...