CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
AI Score
Confidence
High
SSVC
Exploitation
poc
Automatable
no
Technical Impact
partial
A Cross-Site Request Forgery (CSRF) vulnerability exists in the ‘Servers Configurations’ function of the parisneo/lollms-webui, versions 9.6 to the latest. The affected functions include Elastic search Service (under construction), XTTS service, Petals service, vLLM service, and Motion Ctrl service, which lack CSRF protection. This vulnerability allows attackers to deceive users into unwittingly installing the XTTS service among other packages by submitting a malicious installation request. Successful exploitation results in attackers tricking users into performing actions without their consent.
[
{
"cpes": [
"cpe:2.3:a:parisneo:lollms-webui:9.6:*:*:*:*:*:*:*"
],
"vendor": "parisneo",
"product": "lollms-webui",
"versions": [
{
"status": "affected",
"version": "9.6"
}
],
"defaultStatus": "unknown"
}
]
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
AI Score
Confidence
High
SSVC
Exploitation
poc
Automatable
no
Technical Impact
partial