A vulnerability in parisneo/lollms-webui version 9.8 allows for a Denial of Service (DOS) attack when uploading an audio file. If an attacker appends a large number of characters to the end of a multipart boundary, the system will continuously process each character, rendering lollms-webui inaccessible. This issue is exacerbated by the lack of Cross-Site Request Forgery (CSRF) protection, enabling remote exploitation. The vulnerability leads to service disruption, resource exhaustion, and extended downtime.
References
Link | Resource |
---|---|
https://huntr.com/bounties/6394d32e-f35c-418a-95b8-e7254ed0bc8e | Exploit Third Party Advisory |
Configurations
History
03 Nov 2024, 17:15
Type | Values Removed | Values Added |
---|---|---|
CWE |
22 Oct 2024, 14:02
Type | Values Removed | Values Added |
---|---|---|
First Time |
Lollms
Lollms lollms Web Ui |
|
CWE | CWE-352 | |
CPE | cpe:2.3:a:lollms:lollms_web_ui:9.8:*:*:*:*:*:*:* | |
References | () https://huntr.com/bounties/6394d32e-f35c-418a-95b8-e7254ed0bc8e - Exploit, Third Party Advisory |
15 Oct 2024, 12:57
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
13 Oct 2024, 13:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-10-13 13:15
Updated : 2024-11-03 17:15
NVD link : CVE-2024-6959
Mitre link : CVE-2024-6959
CVE.ORG link : CVE-2024-6959
JSON object : View
Products Affected
lollms
- lollms_web_ui
CWE
CWE-352
Cross-Site Request Forgery (CSRF)