CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6674 – Data Leak through CORS Misconfiguration in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-6674
29 Oct 2024 — A CORS misconfiguration in parisneo/lollms-webui prior to version 10 allows attackers to steal sensitive information such as logs, browser sessions, and settings containing private API keys from other services. This vulnerability can also enable attackers to perform actions on behalf of a user, such as deleting a project or sending a message. The issue impacts the confidentiality and integrity of the information. • https://github.com/parisneo/lollms-webui/commit/c1bb1ad19752aa7541675b398495eaf98fd589f1 • CWE-346: Origin Validation Error •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-6959 – Denial of Service (DOS) in multipart boundary while uploading file in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-6959
13 Oct 2024 — A vulnerability in parisneo/lollms-webui version 9.8 allows for a Denial of Service (DOS) attack when uploading an audio file. If an attacker appends a large number of characters to the end of a multipart boundary, the system will continuously process each character, rendering lollms-webui inaccessible. This issue is exacerbated by the lack of Cross-Site Request Forgery (CSRF) protection, enabling remote exploitation. The vulnerability leads to service disruption, resource exhaustion, and extended downtime.... • https://huntr.com/bounties/6394d32e-f35c-418a-95b8-e7254ed0bc8e • CWE-352: Cross-Site Request Forgery (CSRF) CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6394 – Local File Inclusion in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-6394
30 Sep 2024 — A Local File Inclusion vulnerability exists in parisneo/lollms-webui versions below v9.8. The vulnerability is due to unverified path concatenation in the `serve_js` function in `app.py`, which allows attackers to perform path traversal attacks. This can lead to unauthorized access to arbitrary files on the server, potentially exposing sensitive information such as private SSH keys, configuration files, and source code. • https://huntr.com/bounties/6df4f990-b632-4791-b3ea-f40c9ea905bf • CWE-29: Path Traversal: '\..\filename' •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6040 – Missing client_id in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-6040
01 Aug 2024 — In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings are susceptible to CSRF attacks and local attacks. An attacker can exploit this vulnerability to perform unauthorized actions on the victim's machine. • https://huntr.com/bounties/ac0bbb1d-89aa-42ba-bc48-1b59bd16acc7 • CWE-304: Missing Critical Step in Authentication •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4897 – Remote Code Execution in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-4897
02 Jul 2024 — parisneo/lollms-webui, in its latest version, is vulnerable to remote code execution due to an insecure dependency on llama-cpp-python version llama_cpp_python-0.2.61+cpuavx2-cp311-cp311-manylinux_2_31_x86_64. The vulnerability arises from the application's 'binding_zoo' feature, which allows attackers to upload and interact with a malicious model file hosted on hugging-face, leading to remote code execution. The issue is linked to a known vulnerability in llama-cpp-python, CVE-2024-34359, which has not bee... • https://huntr.com/bounties/ecf386df-4b6a-40b2-9000-db0974355acc • CWE-76: Improper Neutralization of Equivalent Special Elements •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-5933 – Cross-site Scripting (XSS) in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-5933
27 Jun 2024 — A Cross-site Scripting (XSS) vulnerability exists in the chat functionality of parisneo/lollms-webui in the latest version. This vulnerability allows an attacker to inject malicious scripts via chat messages, which are then executed in the context of the user's browser. • https://huntr.com/bounties/51a2e370-3b64-45cd-9afc-0e4856ab5517 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6139 – Path Traversal in parisneo/lollms
https://notcve.org/view.php?id=CVE-2024-6139
27 Jun 2024 — A path traversal vulnerability exists in the XTTS server of the parisneo/lollms package version v9.6. This vulnerability allows an attacker to write audio files to arbitrary locations on the system and enumerate file paths. The issue arises from improper validation of user-provided file paths in the `tts_to_file` endpoint. • https://huntr.com/bounties/fd00f112-efd0-40a1-8227-d6733716e4c0 • CWE-29: Path Traversal: '\..\filename' •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5824 – Path Traversal in parisneo/lollms
https://notcve.org/view.php?id=CVE-2024-5824
27 Jun 2024 — A path traversal vulnerability in the `/set_personality_config` endpoint of parisneo/lollms version 9.4.0 allows an attacker to overwrite the `configs/config.yaml` file. This can lead to remote code execution by changing server configuration properties such as `force_accept_remote_access` and `turn_on_code_validation`. • https://github.com/parisneo/lollms/commit/eda3af5f5c4ea9b2f3569f72f8d05989e29367fc • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6250 – Absolute Path Traversal in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-6250
27 Jun 2024 — An absolute path traversal vulnerability exists in parisneo/lollms-webui v9.6, specifically in the `open_file` endpoint of `lollms_advanced.py`. The `sanitize_path` function with `allow_absolute_path=True` allows an attacker to access arbitrary files and directories on a Windows system. This vulnerability can be exploited to read any file and list arbitrary directories on the affected system. • https://huntr.com/bounties/11a8bf9d-16f3-49b3-b5fc-ad36d8993c73 • CWE-36: Absolute Path Traversal •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4498 – Path Traversal and RFI Vulnerability in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-4498
25 Jun 2024 — A Path Traversal and Remote File Inclusion (RFI) vulnerability exists in the parisneo/lollms-webui application, affecting versions v9.7 to the latest. The vulnerability arises from insufficient input validation in the `/apply_settings` function, allowing an attacker to manipulate the `discussion_db_name` parameter to traverse the file system and include arbitrary files. This issue is compounded by the bypass of input filtering in the `install_binding`, `reinstall_binding`, and `unInstall_binding` endpoints,... • https://huntr.com/bounties/9238e88a-a6ca-4915-9b5d-6cdb4148d3f4 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •