CVE-2024-6581 — Cross-site Scripting in Lollms

CWE-79 — Cross-site Scripting4 documents3 sources

Severity

9.0CRITICALNVD

EPSS

1.6%

top 17.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Parisneo Lollms Lollms Lollms Lord OF Large Language Models

Timeline

PublishedOct 29

Description

A vulnerability in the discussion image upload function of the Lollms application, version v9.9, allows for the uploading of SVG files. Due to incomplete filtering in the sanitize_svg function, this can lead to cross-site scripting (XSS) vulnerabilities, which in turn pose a risk of remote code execution. The sanitize_svg function only removes script elements and 'on*' event attributes, but does not account for other potential vectors for XSS within SVG files. This vulnerability can be exploited…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:HExploitability: 2.3 | Impact: 6.0

Affected Packages3 packages

▶PyPIlollms/lollms< 328b960a0de2097e13654ac752253e9541521ddd+1

▶CVEListV5parisneo/parisneo_lollmsunspecified — 9.9

▶NVDlollms/lord_of_large_language_models9.9

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

Lollms vulnerable to Cross-site Scripting↗2024-10-29

▶

OSV

Lollms vulnerable to Cross-site Scripting↗2024-10-29

▶

OSV

CVE-2024-6581: A vulnerability in the discussion image upload function of the Lollms application, version v9↗2024-10-29

▶