CVE-2024-5125Cross-site Scripting in Lollms-webui

CWE-79Cross-site ScriptingCWE-434Unrestricted File Upload2 documents2 sources
Severity
7.3HIGHNVD
EPSS
0.1%
top 68.66%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Parisneo Lollms-webuiLollms Lollms-webui
Timeline
PublishedNov 14

Description

parisneo/lollms-webui version 9.6 is vulnerable to Cross-Site Scripting (XSS) and Open Redirect due to inadequate input validation and processing of SVG files during the upload process. The XSS vulnerability allows attackers to embed malicious JavaScript code within SVG files, which is executed upon rendering, leading to potential credential theft and unauthorized data access. The Open Redirect vulnerability arises from insufficient URL validation within SVG files, enabling attackers to redirect

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:HExploitability: 1.8 | Impact: 5.5

Affected Packages2 packages

CVEListV5parisneo/parisneo_lollms-webuiunspecified9.8

Patches

Patch: github.com

🔴Vulnerability Details

1
GHSA
GHSA-8p2m-96j6-h5p5: parisneo/lollms-webui version 92024-11-14