CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6581 – Remote Code Execution due to Stored XSS in parisneo/lollms
https://notcve.org/view.php?id=CVE-2024-6581
29 Oct 2024 — A vulnerability in the discussion image upload function of the Lollms application, version v9.9, allows for the uploading of SVG files. Due to incomplete filtering in the sanitize_svg function, this can lead to cross-site scripting (XSS) vulnerabilities, which in turn pose a risk of remote code execution. The sanitize_svg function only removes script elements and 'on*' event attributes, but does not account for other potential vectors for XSS within SVG files. This vulnerability can be exploited when author... • https://github.com/parisneo/lollms/commit/328b960a0de2097e13654ac752253e9541521ddd • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6674 – Data Leak through CORS Misconfiguration in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-6674
29 Oct 2024 — A CORS misconfiguration in parisneo/lollms-webui prior to version 10 allows attackers to steal sensitive information such as logs, browser sessions, and settings containing private API keys from other services. This vulnerability can also enable attackers to perform actions on behalf of a user, such as deleting a project or sending a message. The issue impacts the confidentiality and integrity of the information. • https://github.com/parisneo/lollms-webui/commit/c1bb1ad19752aa7541675b398495eaf98fd589f1 • CWE-346: Origin Validation Error •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-6959 – Denial of Service (DOS) in multipart boundary while uploading file in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-6959
13 Oct 2024 — A vulnerability in parisneo/lollms-webui version 9.8 allows for a Denial of Service (DOS) attack when uploading an audio file. If an attacker appends a large number of characters to the end of a multipart boundary, the system will continuously process each character, rendering lollms-webui inaccessible. This issue is exacerbated by the lack of Cross-Site Request Forgery (CSRF) protection, enabling remote exploitation. The vulnerability leads to service disruption, resource exhaustion, and extended downtime.... • https://huntr.com/bounties/6394d32e-f35c-418a-95b8-e7254ed0bc8e • CWE-352: Cross-Site Request Forgery (CSRF) CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6985 – Path Traversal in api open_personality_folder in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-6985
11 Oct 2024 — A path traversal vulnerability exists in the api open_personality_folder endpoint of parisneo/lollms-webui. This vulnerability allows an attacker to read any folder in the personality_folder on the victim's computer, even though sanitize_path is set. The issue arises due to improper sanitization of the personality_folder parameter, which can be exploited to traverse directories and access arbitrary files. • https://github.com/parisneo/lollms/commit/28ee567a9a120967215ff19b96ab7515ce469620 • CWE-23: Relative Path Traversal •
CVSS: 3.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6971 – Path Traversal in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-6971
11 Oct 2024 — A path traversal vulnerability exists in the parisneo/lollms-webui repository, specifically in the `lollms_file_system.py` file. The functions `add_rag_database`, `toggle_mount_rag_database`, and `vectorize_folder` do not implement security measures such as `sanitize_path_from_endpoint` or `sanitize_path`. This allows an attacker to perform vectorize operations on `.sqlite` files in any directory on the victim's computer, potentially installing multiple packages and causing a crash. • https://huntr.com/bounties/fbfe7cd0-99fb-4305-bd07-8b573364109e • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6394 – Local File Inclusion in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-6394
30 Sep 2024 — A Local File Inclusion vulnerability exists in parisneo/lollms-webui versions below v9.8. The vulnerability is due to unverified path concatenation in the `serve_js` function in `app.py`, which allows attackers to perform path traversal attacks. This can lead to unauthorized access to arbitrary files on the server, potentially exposing sensitive information such as private SSH keys, configuration files, and source code. • https://huntr.com/bounties/6df4f990-b632-4791-b3ea-f40c9ea905bf • CWE-29: Path Traversal: '\..\filename' •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6040 – Missing client_id in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-6040
01 Aug 2024 — In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings are susceptible to CSRF attacks and local attacks. An attacker can exploit this vulnerability to perform unauthorized actions on the victim's machine. • https://huntr.com/bounties/ac0bbb1d-89aa-42ba-bc48-1b59bd16acc7 • CWE-304: Missing Critical Step in Authentication •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6281 – Path Traversal in parisneo/lollms
https://notcve.org/view.php?id=CVE-2024-6281
20 Jul 2024 — A path traversal vulnerability exists in the `apply_settings` function of parisneo/lollms versions prior to 9.5.1. The `sanitize_path` function does not adequately secure the `discussion_db_name` parameter, allowing attackers to manipulate the path and potentially write to important system folders. Existe una vulnerabilidad de path traversal en la función `apply_settings` de las versiones parisneo/lollms anteriores a la 9.5.1. La función `sanitize_path` no protege adecuadamente el parámetro `discussion_db_n... • https://github.com/parisneo/lollms/commit/26a3ff35acf152b49e1087d5698ad4864c7b6092 • CWE-440: Expected Behavior Violation •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4897 – Remote Code Execution in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-4897
02 Jul 2024 — parisneo/lollms-webui, in its latest version, is vulnerable to remote code execution due to an insecure dependency on llama-cpp-python version llama_cpp_python-0.2.61+cpuavx2-cp311-cp311-manylinux_2_31_x86_64. The vulnerability arises from the application's 'binding_zoo' feature, which allows attackers to upload and interact with a malicious model file hosted on hugging-face, leading to remote code execution. The issue is linked to a known vulnerability in llama-cpp-python, CVE-2024-34359, which has not bee... • https://huntr.com/bounties/ecf386df-4b6a-40b2-9000-db0974355acc • CWE-76: Improper Neutralization of Equivalent Special Elements •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-5933 – Cross-site Scripting (XSS) in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-5933
27 Jun 2024 — A Cross-site Scripting (XSS) vulnerability exists in the chat functionality of parisneo/lollms-webui in the latest version. This vulnerability allows an attacker to inject malicious scripts via chat messages, which are then executed in the context of the user's browser. • https://huntr.com/bounties/51a2e370-3b64-45cd-9afc-0e4856ab5517 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •