CVE-2024-6959

A vulnerability in parisneo/lollms-webui version 9.8 allows for a Denial of Service (DOS) attack when uploading an audio file. If an attacker appends a large number of characters to the end of a multipart boundary, the system will continuously process each character, rendering lollms-webui inaccessible. This issue is exacerbated by the lack of Cross-Site Request Forgery (CSRF) protection, enabling remote exploitation. The vulnerability leads to service disruption, resource exhaustion, and extended downtime.
References
Link Resource
https://huntr.com/bounties/6394d32e-f35c-418a-95b8-e7254ed0bc8e Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:lollms:lollms_web_ui:9.8:*:*:*:*:*:*:*

History

03 Nov 2024, 17:15

Type Values Removed Values Added
CWE CWE-400

22 Oct 2024, 14:02

Type Values Removed Values Added
First Time Lollms
Lollms lollms Web Ui
CWE CWE-352
CPE cpe:2.3:a:lollms:lollms_web_ui:9.8:*:*:*:*:*:*:*
References () https://huntr.com/bounties/6394d32e-f35c-418a-95b8-e7254ed0bc8e - () https://huntr.com/bounties/6394d32e-f35c-418a-95b8-e7254ed0bc8e - Exploit, Third Party Advisory

15 Oct 2024, 12:57

Type Values Removed Values Added
Summary
  • (es) Una vulnerabilidad en la versión 9.8 de parisneo/lollms-webui permite un ataque de denegación de servicio (DOS) al cargar un archivo de audio. Si un atacante agrega una gran cantidad de caracteres al final de un límite de varias partes, el sistema procesará continuamente cada carácter, lo que hará que lollms-webui sea inaccesible. Este problema se ve agravado por la falta de protección contra Cross-Site Request Forgery (CSRF), lo que permite la explotación remota. La vulnerabilidad provoca la interrupción del servicio, el agotamiento de los recursos y un tiempo de inactividad prolongado.

13 Oct 2024, 13:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-13 13:15

Updated : 2024-11-03 17:15


NVD link : CVE-2024-6959

Mitre link : CVE-2024-6959

CVE.ORG link : CVE-2024-6959


JSON object : View

Products Affected

lollms

  • lollms_web_ui
CWE
CWE-352

Cross-Site Request Forgery (CSRF)