CVE-2024-11302 — Missing Critical Step in Authentication in Lollms

CWE-304 — Missing Critical Step in Authentication2 documents2 sources

Severity

8.0HIGHNVD

EPSS

0.0%

top 92.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Parisneo Lollms

Timeline

PublishedMar 20

Description

A missing check_access() function in the lollms_binding_infos module of the parisneo/lollms repository, version V14, allows attackers to add, modify, and remove bindings arbitrarily. This vulnerability affects the /install_binding and /reinstall_binding endpoints, among others, enabling unauthorized access and manipulation of binding settings without requiring the client_id value.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:HExploitability: 2.5 | Impact: 5.5

Affected Packages1 packages

▶CVEListV5parisneo/parisneo_lollmsunspecified — latest

🔴Vulnerability Details

GHSA

GHSA-3j5r-3852-j63v: A missing check_access() function in the lollms_binding_infos module of the parisneo/lollms repository, version V14, allows attackers to add, modify,↗2025-03-20

▶