CVE-2024-6040
published 2024-08-01CVE-2024-6040: In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities…
PriorityP346high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.16%
5.7th percentile
In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings are susceptible to CSRF attacks and local attacks. An attacker can exploit this vulnerability to perform unauthorized actions on the victim's machine.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chrome_chrome | — | — | |
| lollms | lollms_web_ui | — | — |
| parisneo | parisneo_lollms | unspecified – latest | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv3.04.4MEDIUMCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Chrome
Long Term Support Channel Update for ChromeOS: CVE-2024-6040
vendor_chrome·2024-03-11·CVSS 8.8
CVE-2024-6040 [HIGH] Long Term Support Channel Update for ChromeOS: CVE-2024-6040
Long Term Support Channel Update for ChromeOS
CVE-2024-6040
GHSA
GHSA-7qmp-3hh8-g4vw: In parisneo/lollms-webui version v9
ghsa_unreviewed·2024-08-01
CVE-2024-6040 [MEDIUM] CWE-304 GHSA-7qmp-3hh8-g4vw: In parisneo/lollms-webui version v9
In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings are susceptible to CSRF attacks and local attacks. An attacker can exploit this vulnerability to perform unauthorized actions on the victim's machine.
No detection rules found.
No public exploits indexed.
2024-08-01
Published