cbcvebase.

Parisneo Lollms-Webui vulnerabilities

52 known vulnerabilities affecting parisneo/parisneo_lollms-webui.

Total CVEs
52
CISA KEV
0
Public exploits
3
Exploited in wild
2
Severity breakdown
CRITICAL20HIGH21MEDIUM8LOW3

Vulnerabilities

Page 3 of 3
CVE-2024-6674P4HIGHCVSS 7.1≥ unspecified, < 102024-10-29
CVE-2024-6674 [HIGH] CWE-346 CVE-2024-6674: A CORS misconfiguration in parisneo/lollms-webui prior to version 10 allows attackers to steal sensi A CORS misconfiguration in parisneo/lollms-webui prior to version 10 allows attackers to steal sensitive information such as logs, browser sessions, and settings containing private API keys from other services. This vulnerability can also enable attackers to perform actions on behalf of a user, such as deleting a project or sending a message. The issue
nvd
CVE-2024-1602P4MEDIUMCVSS 6.1≥ unspecified, ≤ latest2024-04-10
CVE-2024-1602 [MEDIUM] CWE-79 CVE-2024-1602: parisneo/lollms-webui is vulnerable to stored Cross-Site Scripting (XSS) that leads to Remote Code E parisneo/lollms-webui is vulnerable to stored Cross-Site Scripting (XSS) that leads to Remote Code Execution (RCE). The vulnerability arises due to inadequate sanitization and validation of model output data, allowing an attacker to inject malicious JavaScript code. This code can be executed within the user's browser context, enabling the attacker to s
nvd
CVE-2024-10047P4MEDIUMCVSS 5.3≥ unspecified, ≤ latest2025-03-20
CVE-2024-10047 [MEDIUM] CWE-36 CVE-2024-10047: parisneo/lollms-webui versions v9.9 to the latest are vulnerable to a directory listing vulnerabilit parisneo/lollms-webui versions v9.9 to the latest are vulnerable to a directory listing vulnerability. An attacker can list arbitrary directories on a Windows system by sending a specially crafted HTTP request to the /open_file endpoint.
nvd
CVE-2024-5125P4HIGHCVSS 7.3≥ unspecified, < 9.82024-11-14
CVE-2024-5125 [HIGH] CWE-79 CVE-2024-5125: parisneo/lollms-webui version 9.6 is vulnerable to Cross-Site Scripting (XSS) and Open Redirect due parisneo/lollms-webui version 9.6 is vulnerable to Cross-Site Scripting (XSS) and Open Redirect due to inadequate input validation and processing of SVG files during the upload process. The XSS vulnerability allows attackers to embed malicious JavaScript code within SVG files, which is executed upon rendering, leading to potential credential theft and una
nvd
CVE-2024-6959P4HIGHCVSS 7.1≥ unspecified, ≤ latest2024-10-13
CVE-2024-6959 [HIGH] CWE-352 CVE-2024-6959: A vulnerability in parisneo/lollms-webui version 9.8 allows for a Denial of Service (DOS) attack whe A vulnerability in parisneo/lollms-webui version 9.8 allows for a Denial of Service (DOS) attack when uploading an audio file. If an attacker appends a large number of characters to the end of a multipart boundary, the system will continuously process each character, rendering lollms-webui inaccessible. This issue is exacerbated by the lack of Cross-Sit
nvd
CVE-2024-8736P4MEDIUMCVSS 6.5≥ unspecified, ≤ latest2025-03-20
CVE-2024-8736 [MEDIUM] CWE-352 CVE-2024-8736: A Denial of Service (DoS) vulnerability exists in multiple file upload endpoints of parisneo/lollms- A Denial of Service (DoS) vulnerability exists in multiple file upload endpoints of parisneo/lollms-webui version V12 (Strawberry). The vulnerability can be exploited remotely via Cross-Site Request Forgery (CSRF). Despite CSRF protection preventing file uploads, the application still processes multipart boundaries, leading to resource exhaustion. By
nvd
CVE-2024-6673P4MEDIUMCVSS 6.5≥ unspecified, < 9.92024-10-29
CVE-2024-6673 [MEDIUM] CWE-352 CVE-2024-6673: A Cross-Site Request Forgery (CSRF) vulnerability exists in the `install_comfyui` endpoint of the `l A Cross-Site Request Forgery (CSRF) vulnerability exists in the `install_comfyui` endpoint of the `lollms_comfyui.py` file in the parisneo/lollms-webui repository, versions v9.9 to the latest. The endpoint uses the GET method without requiring a client ID, allowing an attacker to trick a victim into installing ComfyUI. If the victim's device does not
nvd
CVE-2024-2299P4MEDIUMCVSS 6.1≥ unspecified, ≤ latest2024-05-14
CVE-2024-2299 [MEDIUM] CWE-79 CVE-2024-2299: A stored Cross-Site Scripting (XSS) vulnerability exists in the parisneo/lollms-webui application du A stored Cross-Site Scripting (XSS) vulnerability exists in the parisneo/lollms-webui application due to improper validation of uploaded files in the profile picture upload functionality. Attackers can exploit this vulnerability by uploading malicious HTML files containing JavaScript code, which is executed when the file is accessed. This vulnerability
nvd
CVE-2024-5933P4MEDIUMCVSS 5.4≥ unspecified, ≤ latest2024-06-27
CVE-2024-5933 [MEDIUM] CWE-79 CVE-2024-5933: A Cross-site Scripting (XSS) vulnerability exists in the chat functionality of parisneo/lollms-webui A Cross-site Scripting (XSS) vulnerability exists in the chat functionality of parisneo/lollms-webui in the latest version. This vulnerability allows an attacker to inject malicious scripts via chat messages, which are then executed in the context of the user's browser.
nvd
CVE-2024-6986P4MEDIUMCVSS 5.4≥ unspecified, ≤ latest2025-03-20
CVE-2024-6986 [MEDIUM] CWE-79 CVE-2024-6986: A Cross-site Scripting (XSS) vulnerability exists in the Settings page of parisneo/lollms-webui vers A Cross-site Scripting (XSS) vulnerability exists in the Settings page of parisneo/lollms-webui version 9.8. The vulnerability is due to the improper use of the 'v-html' directive, which inserts the content of the 'full_template' variable directly as HTML. This allows an attacker to execute malicious JavaScript code by injecting a payload into the 'Sys
nvd
CVE-2024-4330P4LOWCVSS 3.3≥ unspecified, ≤ latest2024-05-30
CVE-2024-4330 [LOW] CWE-23 CVE-2024-4330: A path traversal vulnerability was identified in the parisneo/lollms-webui repository, specifically A path traversal vulnerability was identified in the parisneo/lollms-webui repository, specifically within version 9.6. The vulnerability arises due to improper handling of user-supplied input in the 'list_personalities' endpoint. By crafting a malicious HTTP request, an attacker can traverse the directory structure and view the contents of any folder, alb
nvd
CVE-2024-4839P4LOWCVSS 3.3≥ unspecified, ≤ latest2024-06-24
CVE-2024-4839 [LOW] CWE-352 CVE-2024-4839: A Cross-Site Request Forgery (CSRF) vulnerability exists in the 'Servers Configurations' function of A Cross-Site Request Forgery (CSRF) vulnerability exists in the 'Servers Configurations' function of the parisneo/lollms-webui, versions 9.6 to the latest. The affected functions include Elastic search Service (under construction), XTTS service, Petals service, vLLM service, and Motion Ctrl service, which lack CSRF protection. This vulnerability allows a
nvd
Parisneo Lollms-Webui vulnerabilities | cvebase