CVE-2024-6674Origin Validation Error in Lollms-webui

CWE-346Origin Validation Error2 documents2 sources
Severity
7.1HIGHNVD
EPSS
0.2%
top 56.72%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Parisneo Lollms-webuiLollms WEB UI
Timeline
PublishedOct 29

Description

A CORS misconfiguration in parisneo/lollms-webui prior to version 10 allows attackers to steal sensitive information such as logs, browser sessions, and settings containing private API keys from other services. This vulnerability can also enable attackers to perform actions on behalf of a user, such as deleting a project or sending a message. The issue impacts the confidentiality and integrity of the information.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:NExploitability: 2.8 | Impact: 4.2

Affected Packages2 packages

CVEListV5parisneo/parisneo_lollms-webuiunspecified10

Patches

Patch: github.com

🔴Vulnerability Details

1
GHSA
GHSA-3qxp-588w-rmqg: A CORS misconfiguration in parisneo/lollms-webui prior to version 10 allows attackers to steal sensitive information such as logs, browser sessions, a2024-10-29