Vulnerabilities > CVE-2024-2288 - Unspecified vulnerability in Lollms web UI

CVSS 8.3 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

LOW

Availability impact

HIGH

network

low complexity

lollms

NVD

Published: 2024-06-06

Updated: 2024-11-21

Summary

A Cross-Site Request Forgery (CSRF) vulnerability exists in the profile picture upload functionality of the Lollms application, specifically in the parisneo/lollms-webui repository, affecting versions up to 7.3.0. This vulnerability allows attackers to change a victim's profile picture without their consent, potentially leading to a denial of service by overloading the filesystem with files. Additionally, this flaw can be exploited to perform a stored cross-site scripting (XSS) attack, enabling attackers to execute arbitrary JavaScript in the context of the victim's browser session. The issue is resolved in version 9.3.

Vulnerable Configurations

Part	Description	Count
Application	Lollms Lollms Lollms WEB UI - Lollms Lollms WEB UI 0.0.1 Lollms Lollms WEB UI 0.0.2 Lollms Lollms WEB UI 0.0.3 Lollms Lollms WEB UI 0.0.4 Lollms Lollms WEB UI 0.0.5 Lollms Lollms WEB UI 0.0.6 Lollms Lollms WEB UI 0.0.7 Lollms Lollms WEB UI 0.0.8 Lollms Lollms WEB UI 0.0.9 Lollms Lollms WEB UI 3.0 Lollms Lollms WEB UI 3.5 Lollms Lollms WEB UI 4.0 Lollms Lollms WEB UI 5.0 Lollms Lollms WEB UI 6.0 Lollms Lollms WEB UI 6.5 Lollms Lollms WEB UI 6.5.0 Lollms Lollms WEB UI 6.7 Lollms Lollms WEB UI 7.0 Lollms Lollms WEB UI 8.0 Lollms Lollms WEB UI 8.5 Lollms Lollms WEB UI 9.0 Lollms Lollms WEB UI 9.1 Lollms Lollms WEB UI 9.2	25

Summary

Vulnerable Configurations

References