CVE-2024-2288

A Cross-Site Request Forgery (CSRF) vulnerability exists in the profile picture upload functionality of the Lollms application, specifically in the parisneo/lollms-webui repository, affecting versions up to 7.3.0. This vulnerability allows attackers to change a victim's profile picture without their consent, potentially leading to a denial of service by overloading the filesystem with files. Additionally, this flaw can be exploited to perform a stored cross-site scripting (XSS) attack, enabling attackers to execute arbitrary JavaScript in the context of the victim's browser session. The issue is resolved in version 9.3.
Configurations

Configuration 1 (hide)

cpe:2.3:a:lollms:lollms_web_ui:*:*:*:*:*:*:*:*

History

21 Nov 2024, 09:09

Type Values Removed Values Added
References () https://github.com/parisneo/lollms-webui/commit/ed085e6effab2b1e25ba2b00366a16ff67d8551b - Patch () https://github.com/parisneo/lollms-webui/commit/ed085e6effab2b1e25ba2b00366a16ff67d8551b - Patch
References () https://huntr.com/bounties/2a37ae0c-890a-401a-8f3c-a261f3006290 - Exploit, Third Party Advisory () https://huntr.com/bounties/2a37ae0c-890a-401a-8f3c-a261f3006290 - Exploit, Third Party Advisory

15 Oct 2024, 20:31

Type Values Removed Values Added
CPE cpe:2.3:a:lollms:lollms_web_ui:*:*:*:*:*:*:*:*
References () https://github.com/parisneo/lollms-webui/commit/ed085e6effab2b1e25ba2b00366a16ff67d8551b - () https://github.com/parisneo/lollms-webui/commit/ed085e6effab2b1e25ba2b00366a16ff67d8551b - Patch
References () https://huntr.com/bounties/2a37ae0c-890a-401a-8f3c-a261f3006290 - () https://huntr.com/bounties/2a37ae0c-890a-401a-8f3c-a261f3006290 - Exploit, Third Party Advisory
First Time Lollms lollms Web Ui
Lollms

07 Jun 2024, 14:56

Type Values Removed Values Added
Summary
  • (es) Existe una vulnerabilidad de Cross-Site Request Forgery (CSRF) en la funcionalidad de carga de imágenes de perfil de la aplicación Lollms, específicamente en el repositorio parisneo/lollms-webui, que afecta a las versiones hasta 7.3.0. Esta vulnerabilidad permite a los atacantes cambiar la imagen de perfil de una víctima sin su consentimiento, lo que podría provocar una denegación de servicio al sobrecargar el sistema de archivos con archivos. Además, esta falla se puede aprovechar para realizar un ataque de Cross-site Scripting (XSS) almacenado, lo que permite a los atacantes ejecutar JavaScript arbitrario en el contexto de la sesión del navegador de la víctima. El problema se resuelve en la versión 9.3.

06 Jun 2024, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-06 19:15

Updated : 2024-11-21 09:09


NVD link : CVE-2024-2288

Mitre link : CVE-2024-2288

CVE.ORG link : CVE-2024-2288


JSON object : View

Products Affected

lollms

  • lollms_web_ui
CWE
CWE-352

Cross-Site Request Forgery (CSRF)