4 matches found
CVE-2024-9920
In version v12 of parisneo/lollms-webui, the 'Send file to AL' function allows uploading files with various extensions, including potentially dangerous ones like .py, .sh, .bat, and more. Attackers can exploit this by uploading files with malicious content and then using the '/openfile' API...
CVE-2024-6986
A Cross-site Scripting XSS vulnerability exists in the Settings page of parisneo/lollms-webui version 9.8. The vulnerability is due to the improper use of the 'v-html' directive, which inserts the content of the 'fulltemplate' variable directly as HTML. This allows an attacker to execute maliciou...
CVE-2024-1522
A Cross-Site Request Forgery CSRF vulnerability in the parisneo/lollms-webui project allows remote attackers to execute arbitrary code on a victim's system. The vulnerability stems from the /executecode API endpoint, which does not properly validate requests, enabling an attacker to craft a...
PT-2024-19635 · Unknown · Lollms-Webui
Name of the Vulnerable Software and Affected Versions: lollms-webui affected versions not specified Description: A stored Cross-Site Scripting XSS issue exists due to improper validation of uploaded files in the profile picture upload functionality. Attackers can exploit this by uploading malicio...