CVE-2024-6959Cross-Site Request Forgery in Lollms-webui

CWE-352Cross-Site Request ForgeryCWE-400Uncontrolled Resource Consumption2 documents2 sources
Severity
7.1HIGHNVD
EPSS
0.1%
top 72.54%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Parisneo Lollms-webuiLollms WEB UI
Timeline
PublishedOct 13

Description

A vulnerability in parisneo/lollms-webui version 9.8 allows for a Denial of Service (DOS) attack when uploading an audio file. If an attacker appends a large number of characters to the end of a multipart boundary, the system will continuously process each character, rendering lollms-webui inaccessible. This issue is exacerbated by the lack of Cross-Site Request Forgery (CSRF) protection, enabling remote exploitation. The vulnerability leads to service disruption, resource exhaustion, and extend

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:HExploitability: 2.8 | Impact: 4.2

Affected Packages2 packages

CVEListV5parisneo/parisneo_lollms-webuiunspecifiedlatest

🔴Vulnerability Details

1
GHSA
GHSA-33r9-m4vj-8h9p: A vulnerability in parisneo/lollms-webui version 92024-10-13