CVE-2024-6674

HIGH

parisneo/lollms-webui <10 - SSRF

Title source: llm

Description

A CORS misconfiguration in parisneo/lollms-webui prior to version 10 allows attackers to steal sensitive information such as logs, browser sessions, and settings containing private API keys from other services. This vulnerability can also enable attackers to perform actions on behalf of a user, such as deleting a project or sending a message. The issue impacts the confidentiality and integrity of the information.

References (2)

[Patch] https://github.com/parisneo/lollms-webui/commit/c1bb1ad19752aa7541675b398495eaf98fd589f1

View Patch ZIP pw:eip

[Exploit, Third Party Advisory] https://huntr.com/bounties/e688f71b-a3a4-4f6d-b48a-837073fa6908

Scores

CVSS v3 7.1

EPSS 0.0021

EPSS Percentile 43.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-346

Status published

Products (1)

lollms/lollms_web_ui < 10

Published Oct 29, 2024

Tracked Since Feb 18, 2026