Lollms Web Ui
CVE-2024-4328
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
A Cross-Site Request Forgery (CSRF) vulnerability exists in the clear_personality_files_list function of the parisneo/lollms-webui v9.6. The vulnerability arises from the use of a GET request to clear personality files list, which lacks proper CSRF protection. This flaw allows attackers to trick users into performing actions without their consent, such as deleting important files on the system. The issue is present in the application's handling of requests, making it susceptible to CSRF attacks that could lead to unauthorized actions being performed on behalf of the user.
AnalysisAI
A Cross-Site Request Forgery (CSRF) vulnerability exists in the clear_personality_files_list function of the parisneo/lollms-webui v9.6. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. A Cross-Site Request Forgery (CSRF) vulnerability exists in the clear_personality_files_list function of the parisneo/lollms-webui v9.6. The vulnerability arises from the use of a GET request to clear personality files list, which lacks proper CSRF protection. This flaw allows attackers to trick users into performing actions without their consent, such as deleting important files on the system. The issue is present in the application's handling of requests, making it susceptible to CSRF attacks that could lead to unauthorized actions being performed on behalf of the user. Affected products include: Parisneo Lollms Web Ui.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.
More in Lollms Web Ui
View allA path traversal vulnerability exists in the `install` and `uninstall` API endpoints of parisneo/lollms-webui version V1
A remote code execution (RCE) vulnerability exists in the '/install_extension' endpoint of the parisneo/lollms-webui app
A path traversal vulnerability exists in the 'cyber_security/codeguard' native personality of the parisneo/lollms-webui,
A path traversal and arbitrary file upload vulnerability exists in the parisneo/lollms-webui application, specifically w
parisneo/lollms-webui is vulnerable to path traversal attacks that can lead to remote code execution due to insufficient
A vulnerability in the parisneo/lollms-webui version 9.3 allows attackers to bypass intended access restrictions and exe
A Server-Side Request Forgery (SSRF) vulnerability exists in the 'add_webpage' endpoint of the parisneo/lollms-webui app
A vulnerability in parisneo/lollms-webui versions up to 9.3 allows remote attackers to execute arbitrary code. Rated cri
A path traversal vulnerability in the '/apply_settings' endpoint of parisneo/lollms-webui allows attackers to execute ar
An OS Command Injection vulnerability exists in the '/open_code_folder' endpoint of the parisneo/lollms-webui applicatio
The parisneo/lollms-webui repository is susceptible to a path traversal vulnerability due to inadequate validation of us
A vulnerability in the parisneo/lollms-webui allows for arbitrary file upload and read due to insufficient sanitization
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today