In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings are susceptible to CSRF attacks and local attacks. An attacker can exploit this vulnerability to perform unauthorized actions on the victim's machine.
References
Configurations
No configuration.
History
01 Aug 2024, 16:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-08-01 16:15
Updated : 2024-08-01 16:45
NVD link : CVE-2024-6040
Mitre link : CVE-2024-6040
CVE.ORG link : CVE-2024-6040
JSON object : View
Products Affected
No product.
CWE
CWE-304
Missing Critical Step in Authentication