CVE-2024-7049
published 2024-10-10CVE-2024-7049: In version v0.3.8 of open-webui/open-webui, a vulnerability exists where a token is returned when a user with a pending role logs in. This allows the user to…
PriorityP427medium5.4CVSS 3.1
AVNACLPRLUINSUCLILAN
EPSS
0.34%
25.4th percentile
In version v0.3.8 of open-webui/open-webui, a vulnerability exists where a token is returned when a user with a pending role logs in. This allows the user to perform actions without admin confirmation, bypassing the intended approval process.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| open-webui | open-webui_open-webui | unspecified – latest | — |
| openwebui | open_webui | — | — |
| php5 | php5 | >= 0 < 5.5.9+dfsg-1ubuntu4.29+esm16 | 5.5.9+dfsg-1ubuntu4.29+esm16 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
nvdv3.05.4MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
osv5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
php5 vulnerabilities
osv·2025-02-26·CVSS 5.3
CVE-2024-8925 php5 vulnerabilities
php5 vulnerabilities
USN-7049-1 fixed vulnerabilities in PHP. This update
provides the corresponding updates for Ubuntu 14.04 LTS.
Original advisory details:
It was discovered that PHP incorrectly handled parsing multipart form
data.A remote attacker could possibly use this issue to inject payloads
and cause PHP to ignore legitimate data. (CVE-2024-8925)
It was discovered that PHP incorrectly handled the cgi.force_redirect
configuration option due to environment variable collisions. In certain
configurations, an attacker could possibly use this issue bypass
force_redirect restrictions. (CVE-2024-8927)
OSV
php7.0, php7.2 vulnerabilities
osv·2024-11-14·CVSS 5.3
CVE-2024-8925 php7.0, php7.2 vulnerabilities
php7.0, php7.2 vulnerabilities
USN-7049-1 fixed vulnerabilities in PHP. This update provides the
corresponding updates for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
Original advisory details:
It was discovered that PHP incorrectly handled parsing multipart form
data. A remote attacker could possibly use this issue to inject payloads
and cause PHP to ignore legitimate data. (CVE-2024-8925)
It was discovered that PHP incorrectly handled the cgi.force_redirect
configuration option due to environment variable collisions. In certain
configurations, an attacker could possibly use this issue bypass
force_redirect restrictions. (CVE-2024-8927)
GHSA
GHSA-947m-jhcv-94rp: In version v0
ghsa_unreviewed·2024-10-10
CVE-2024-7049 [MEDIUM] CWE-488 GHSA-947m-jhcv-94rp: In version v0
In version v0.3.8 of open-webui/open-webui, a vulnerability exists where a token is returned when a user with a pending role logs in. This allows the user to perform actions without admin confirmation, bypassing the intended approval process.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-10-10
Published