Lollms-webui Security Vulnerabilities and Issues — Lollms-webui CVE List

Lucene search

ParisneoLollms-webui

7 matches found

CVE•added 2024/04/10 5:15 p.m.•76 views

CVE-2024-1511

The parisneo/lollms-webui repository is susceptible to a path traversal vulnerability due to inadequate validation of user-supplied file paths. This flaw allows an unauthenticated attacker to read, write, and in certain configurations execute arbitrary files on the server by exploiting various endp...

9.8CVSS7.2AI score0.00305EPSS

CVE•added 2024/04/10 5:15 p.m.•72 views

CVE-2024-1520

An OS Command Injection vulnerability exists in the '/open_code_folder' endpoint of the parisneo/lollms-webui application, due to improper validation of user-supplied input in the 'discussion_id' parameter. Attackers can exploit this vulnerability by injecting malicious OS commands, leading to unau...

9.8CVSS9.3AI score0.0062EPSS

CVE•added 2024/04/10 5:15 p.m.•67 views

CVE-2024-1600

A Local File Inclusion (LFI) vulnerability exists in the parisneo/lollms-webui application, specifically within the /personalities route. An attacker can exploit this vulnerability by crafting a URL that includes directory traversal sequences (../../) followed by the desired system file path, URL e...

9.3CVSS8.9AI score0.00062EPSS

CVE•added 2024/04/10 5:15 p.m.•66 views

CVE-2024-1602

parisneo/lollms-webui is vulnerable to stored Cross-Site Scripting (XSS) that leads to Remote Code Execution (RCE). The vulnerability arises due to inadequate sanitization and validation of model output data, allowing an attacker to inject malicious JavaScript code. This code can be executed within...

8.8CVSS6.4AI score0.00202EPSS

CVE•added 2024/04/16 12:15 a.m.•53 views

CVE-2024-1646

parisneo/lollms-webui is vulnerable to authentication bypass due to insufficient protection over sensitive endpoints. The application checks if the host parameter is not '0.0.0.0' to restrict access, which is inadequate when the application is bound to a specific interface, allowing unauthorized ac...

8.2CVSS7AI score0.00088EPSS

CVE•added 2024/04/16 12:15 a.m.•46 views

CVE-2024-1601

An SQL injection vulnerability exists in the delete_discussion() function of the parisneo/lollms-webui application, allowing an attacker to delete all discussions and message data. The vulnerability is exploitable via a crafted HTTP POST request to the /delete_discussion endpoint, which internally ...

9.8CVSS7.6AI score0.00263EPSS

CVE•added 2024/04/16 12:15 a.m.•40 views

CVE-2024-1569

parisneo/lollms-webui is vulnerable to a denial of service (DoS) attack due to uncontrolled resource consumption. Attackers can exploit the /open_code_in_vs_code and similar endpoints without authentication by sending repeated HTTP POST requests, leading to the opening of Visual Studio Code or the ...

7.5CVSS7.1AI score0.00122EPSS