CVE-2024-6674

HIGH

lollms_web_ui < 10 - Origin Validation Error via CORS Misconfiguration

Title source: llm

Description

A CORS misconfiguration in parisneo/lollms-webui prior to version 10 allows attackers to steal sensitive information such as logs, browser sessions, and settings containing private API keys from other services. This vulnerability can also enable attackers to perform actions on behalf of a user, such as deleting a project or sending a message. The issue impacts the confidentiality and integrity of the information.

References (2)

Core 2

Core References

Patch

https://github.com/parisneo/lollms-webui/commit/c1bb1ad19752aa7541675b398495eaf98fd589f1

View Patch ZIP pw:eip

Exploit, Third Party Advisory

https://huntr.com/bounties/e688f71b-a3a4-4f6d-b48a-837073fa6908

Scores

CVSS v3 7.1

EPSS 0.0024

EPSS Percentile 15.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-346

Status published

Products (1)

lollms/lollms_web_ui < 10

Published Oct 29, 2024

Tracked Since Feb 18, 2026