CVE-2024-2299 — Cross-site Scripting in WEB UI

CWE-79 — Cross-site Scripting2 documents2 sources

Severity

6.1MEDIUMNVD

EPSS

0.3%

top 46.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lollms WEB UI Parisneo Lollms-webui

Timeline

PublishedMay 14

Description

A stored Cross-Site Scripting (XSS) vulnerability exists in the parisneo/lollms-webui application due to improper validation of uploaded files in the profile picture upload functionality. Attackers can exploit this vulnerability by uploading malicious HTML files containing JavaScript code, which is executed when the file is accessed. This vulnerability is remotely exploitable via Cross-Site Request Forgery (CSRF), allowing attackers to perform actions on behalf of authenticated users and potenti…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5parisneo/parisneo_lollms-webuiunspecified — latest

▶NVDlollms/lollms_web_ui< 9.5

Patches

Patch: huntr.com ↗Patch: huntr.com ↗

🔴Vulnerability Details

GHSA

GHSA-cv4r-v8vp-fgjg: A stored Cross-Site Scripting (XSS) vulnerability exists in the parisneo/lollms-webui application due to improper validation of uploaded files in the↗2024-05-14

▶