cbcvebase.
CVE-2024-6040
published 2024-08-01

CVE-2024-6040: In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities…

PriorityP346high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.16%
5.7th percentile
In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings are susceptible to CSRF attacks and local attacks. An attacker can exploit this vulnerability to perform unauthorized actions on the victim's machine.

Affected

3 ranges
VendorProductVersion rangeFixed in
googlechrome_chrome
lollmslollms_web_ui
parisneoparisneo_lollmsunspecified – latest

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv3.04.4MEDIUMCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.