11 matches found
CVE-2024-12766
parisneo/lollms-webui version V13 (feather) suffers from a Server-Side Request Forgery (SSRF) vulnerability in the POST /api/proxy REST API. Attackers can exploit this vulnerability to abuse the victim server's credentials to access unauthorized web resources by specifying the JSON parameter {"url"...
CVE-2024-2548
A path traversal vulnerability exists in the parisneo/lollms-webui application, specifically within the lollms_core/lollms/server/endpoints/lollms_binding_files_server.py and lollms_core/lollms/security.py files. Due to inadequate validation of file paths between Windows and Linux environments usin...
CVE-2025-1451
A vulnerability in parisneo/lollms-webui v13 arises from the server's handling of multipart boundaries in file uploads. The server does not limit or validate the length of the boundary or the characters appended to it, allowing an attacker to craft requests with excessively long boundaries, leading...
CVE-2024-6394
A Local File Inclusion vulnerability exists in parisneo/lollms-webui versions below v9.8. The vulnerability is due to unverified path concatenation in the serve_js function in app.py, which allows attackers to perform path traversal attacks. This can lead to unauthorized access to arbitrary files o...
CVE-2024-6250
An absolute path traversal vulnerability exists in parisneo/lollms-webui v9.6, specifically in the open_file endpoint of lollms_advanced.py. The sanitize_path function with allow_absolute_path=True allows an attacker to access arbitrary files and directories on a Windows system. This vulnerability ...
CVE-2024-8736
A Denial of Service (DoS) vulnerability exists in multiple file upload endpoints of parisneo/lollms-webui version V12 (Strawberry). The vulnerability can be exploited remotely via Cross-Site Request Forgery (CSRF). Despite CSRF protection preventing file uploads, the application still processes mul...
CVE-2024-6959
A vulnerability in parisneo/lollms-webui version 9.8 allows for a Denial of Service (DOS) attack when uploading an audio file. If an attacker appends a large number of characters to the end of a multipart boundary, the system will continuously process each character, rendering lollms-webui inaccess...
CVE-2024-4322
A path traversal vulnerability exists in the parisneo/lollms-webui application, specifically within the /list_personalities endpoint. By manipulating the category parameter, an attacker can traverse the directory structure and list any directory on the system. This issue affects the latest version ...
CVE-2024-4498
A Path Traversal and Remote File Inclusion (RFI) vulnerability exists in the parisneo/lollms-webui application, affecting versions v9.7 to the latest. The vulnerability arises from insufficient input validation in the /apply_settings function, allowing an attacker to manipulate the discussion_db_na...
CVE-2024-2299
A stored Cross-Site Scripting (XSS) vulnerability exists in the parisneo/lollms-webui application due to improper validation of uploaded files in the profile picture upload functionality. Attackers can exploit this vulnerability by uploading malicious HTML files containing JavaScript code, which is...
CVE-2024-2178
A path traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'copy_to_custom_personas' endpoint in the 'lollms_personalities_infos.py' file. This vulnerability allows attackers to read arbitrary files by manipulating the 'category' and 'name' parameters during the 'Co...