Vulnerability Details CVE-2024-2288
A Cross-Site Request Forgery (CSRF) vulnerability exists in the profile picture upload functionality of the Lollms application, specifically in the parisneo/lollms-webui repository, affecting versions up to 7.3.0. This vulnerability allows attackers to change a victim's profile picture without their consent, potentially leading to a denial of service by overloading the filesystem with files. Additionally, this flaw can be exploited to perform a stored cross-site scripting (XSS) attack, enabling attackers to execute arbitrary JavaScript in the context of the victim's browser session. The issue is resolved in version 9.3.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 44.3%
CVSS Severity
CVSS v3 Score 8.3
References
- https://github.com/parisneo/lollms-webui/commit/ed085e6effab2b1e25ba2b00366a16ff67d8551b
- https://huntr.com/bounties/2a37ae0c-890a-401a-8f3c-a261f3006290
- https://github.com/parisneo/lollms-webui/commit/ed085e6effab2b1e25ba2b00366a16ff67d8551b
- https://huntr.com/bounties/2a37ae0c-890a-401a-8f3c-a261f3006290
Products affected by CVE-2024-2288
-
cpe:2.3:a:lollms:lollms_web_ui:-
-
cpe:2.3:a:lollms:lollms_web_ui:0.0.1
-
cpe:2.3:a:lollms:lollms_web_ui:0.0.2
-
cpe:2.3:a:lollms:lollms_web_ui:0.0.3
-
cpe:2.3:a:lollms:lollms_web_ui:0.0.4
-
cpe:2.3:a:lollms:lollms_web_ui:0.0.5
-
cpe:2.3:a:lollms:lollms_web_ui:0.0.6
-
cpe:2.3:a:lollms:lollms_web_ui:0.0.7
-
cpe:2.3:a:lollms:lollms_web_ui:0.0.8
-
cpe:2.3:a:lollms:lollms_web_ui:0.0.9
-
cpe:2.3:a:lollms:lollms_web_ui:3.0
-
cpe:2.3:a:lollms:lollms_web_ui:3.5
-
cpe:2.3:a:lollms:lollms_web_ui:4.0
-
cpe:2.3:a:lollms:lollms_web_ui:5.0
-
cpe:2.3:a:lollms:lollms_web_ui:6.0
-
cpe:2.3:a:lollms:lollms_web_ui:6.5
-
cpe:2.3:a:lollms:lollms_web_ui:6.5.0
-
cpe:2.3:a:lollms:lollms_web_ui:6.7
-
cpe:2.3:a:lollms:lollms_web_ui:7.0
-
cpe:2.3:a:lollms:lollms_web_ui:8.0
-
cpe:2.3:a:lollms:lollms_web_ui:8.5
-
cpe:2.3:a:lollms:lollms_web_ui:9.0
-
cpe:2.3:a:lollms:lollms_web_ui:9.1
-
cpe:2.3:a:lollms:lollms_web_ui:9.2