CVE-2024-8736 — Cross-Site Request Forgery in Lollms-webui

CWE-352 — Cross-Site Request Forgery CWE-400 — Uncontrolled Resource Consumption2 documents2 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 79.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Parisneo Lollms-webui Lollms WEB UI

Timeline

PublishedMar 20

Description

A Denial of Service (DoS) vulnerability exists in multiple file upload endpoints of parisneo/lollms-webui version V12 (Strawberry). The vulnerability can be exploited remotely via Cross-Site Request Forgery (CSRF). Despite CSRF protection preventing file uploads, the application still processes multipart boundaries, leading to resource exhaustion. By appending additional characters to the multipart boundary, an attacker can cause the server to parse each byte of the boundary, ultimately leading …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5parisneo/parisneo_lollms-webuiunspecified — latest

▶NVDlollms/lollms_web_ui12

🔴Vulnerability Details

GHSA

GHSA-vpg6-7cch-gq2j: A Denial of Service (DoS) vulnerability exists in multiple file upload endpoints of parisneo/lollms-webui version V12 (Strawberry)↗2025-03-20

▶