CVE-2024-6040 — Cross-Site Request Forgery in Lollms

CWE-352 — Cross-Site Request Forgery CWE-304 — Missing Critical Step in Authentication4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.1%

top 82.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Parisneo Lollms Lollms WEB UI Google Chrome Chrome

Timeline

PublishedAug 1

Description

In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings are susceptible to CSRF attacks and local attacks. An attacker can exploit this vulnerability to perform unauthorized actions on the victim's machine.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5parisneo/parisneo_lollmsunspecified — latest

▶NVDlollms/lollms_web_ui9.8

▶googlegoogle/chrome_chrome

🔴Vulnerability Details

GHSA

GHSA-7qmp-3hh8-g4vw: In parisneo/lollms-webui version v9↗2024-08-01

▶

📋Vendor Advisories

Chrome

Long Term Support Channel Update for ChromeOS: CVE-2024-6040↗2024-03-11

▶

💬Community

Bugzilla

CVE-2023-6040 kernel: netfilter: nf_tables: out-of-bounds access in nf_tables_newtable()↗2024-01-12

▶