CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2024-6040

In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings are susceptible to CSRF attacks and local attacks. An attacker can exploit this vulnerability to perform unauthorized actions on the victim's machine.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.001

EPSS Ranking 31.9%

CVSS Severity

CVSS v3 Score 4.4

References

https://huntr.com/bounties/ac0bbb1d-89aa-42ba-bc48-1b59bd16acc7

Products affected by CVE-2024-6040

Lollms » Lollms Web Ui » Version: 9.8

cpe:2.3:a:lollms:lollms_web_ui:9.8

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2024-6040

Products

Pricing

Contact Us