CVE-2024-6040

In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings are susceptible to CSRF attacks and local attacks. An attacker can exploit this vulnerability to perform unauthorized actions on the victim's machine.
Configurations

No configuration.

History

01 Aug 2024, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-01 16:15

Updated : 2024-08-01 16:45


NVD link : CVE-2024-6040

Mitre link : CVE-2024-6040

CVE.ORG link : CVE-2024-6040


JSON object : View

Products Affected

No product.

CWE
CWE-304

Missing Critical Step in Authentication