ГлавнаяУязвимости → CVE-2024-6040
8.8высокая

CVE-2024-6040

Описание

In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings are susceptible to CSRF attacks and local attacks. An attacker can exploit this vulnerability to perform unauthorized actions on the victim's machine.

Затрагиваемое ПО
Lollms Lollms web ui
CVSS
Балл8.8 — высокая
ВекторCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Источники
https://huntr.com/bounties/ac0bbb1d-89aa-42ba-bc48-1b59bd16acc7