CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-6707 – Open WebUI Arbitrary File Upload + Path Traversal
https://notcve.org/view.php?id=CVE-2024-6707
07 Aug 2024 — Attacker controlled files can be uploaded to arbitrary locations on the web server's filesystem by abusing a path traversal vulnerability. Los archivos controlados por un atacante se pueden cargar en ubicaciones arbitrarias en el sistema de archivos del servidor web abusando de una vulnerabilidad de path traversal. Open WebUI version 0.1.105 suffers from arbitrary file upload and path traversal vulnerabilities. • https://packetstorm.news/files/id/179998 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-6706 – Open WebUI Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-6706
07 Aug 2024 — Attackers can craft a malicious prompt that coerces the language model into executing arbitrary JavaScript in the context of the web page. Los atacantes pueden crear un mensaje malicioso que obligue al modelo de lenguaje a ejecutar JavaScript arbitrario en el contexto de la página web. Open WebUI version 0.1.105 suffers from a persistent cross site scripting vulnerability. • https://packetstorm.news/files/id/179997 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •