Parisneo Lollms
Monthly
Cross-site scripting in parisneo/lollms prior to version 2.2.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via malicious HTML payloads injected through the unsanitized `content` field in the `AppLollmsMessage.from_dict` deserialization method. The changed scope (CVSS S:C) indicates impact beyond the vulnerable component, enabling session hijacking, account takeover, and potentially wormable attacks. Publicly available exploit code exists (reported v
Stored cross-site scripting in parisneo/lollms versions prior to 2.2.0 enables unauthenticated attackers to inject malicious JavaScript through unsanitized social post content in the create_post function. Injected scripts execute in victims' browsers when viewing the Home Feed, enabling account takeover, session hijacking, and wormable propagation across the platform. The CVSS vector indicates network-accessible exploitation requiring user interaction, with scope change allowing cross-domain impact. No public exploit identified at time of analysis, but low attack complexity increases weaponization risk.
Insufficient session expiration in parisneo/lollms allows authenticated attackers with high privileges to maintain unauthorized account access after a victim resets their password, due to failure to invalidate active sessions and excessively long default session duration (31 days). The vulnerability requires prior compromise and high privileges but enables persistent access to accounts with confidentiality, integrity, and availability impact. No public exploit code or active exploitation has been confirmed.
Weak JWT secret key in LoLLMs 2.1.0 enables offline brute-force recovery, allowing remote unauthenticated attackers to forge administrative tokens and bypass authentication completely. Attackers can escalate privileges to administrator, impersonate legitimate users, and access all restricted endpoints without prior authentication. EPSS probability is low (0.04%, 14th percentile) suggesting limited widespread exploitation interest, though a proof-of-concept exists and SSVC classifies the vulnerability as automatable with total technical impact. Fixed in version 2.2.0 via commit a3b2b82b84.
Cross-site scripting in parisneo/lollms prior to version 2.2.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via malicious HTML payloads injected through the unsanitized `content` field in the `AppLollmsMessage.from_dict` deserialization method. The changed scope (CVSS S:C) indicates impact beyond the vulnerable component, enabling session hijacking, account takeover, and potentially wormable attacks. Publicly available exploit code exists (reported v
Stored cross-site scripting in parisneo/lollms versions prior to 2.2.0 enables unauthenticated attackers to inject malicious JavaScript through unsanitized social post content in the create_post function. Injected scripts execute in victims' browsers when viewing the Home Feed, enabling account takeover, session hijacking, and wormable propagation across the platform. The CVSS vector indicates network-accessible exploitation requiring user interaction, with scope change allowing cross-domain impact. No public exploit identified at time of analysis, but low attack complexity increases weaponization risk.
Insufficient session expiration in parisneo/lollms allows authenticated attackers with high privileges to maintain unauthorized account access after a victim resets their password, due to failure to invalidate active sessions and excessively long default session duration (31 days). The vulnerability requires prior compromise and high privileges but enables persistent access to accounts with confidentiality, integrity, and availability impact. No public exploit code or active exploitation has been confirmed.
Weak JWT secret key in LoLLMs 2.1.0 enables offline brute-force recovery, allowing remote unauthenticated attackers to forge administrative tokens and bypass authentication completely. Attackers can escalate privileges to administrator, impersonate legitimate users, and access all restricted endpoints without prior authentication. EPSS probability is low (0.04%, 14th percentile) suggesting limited widespread exploitation interest, though a proof-of-concept exists and SSVC classifies the vulnerability as automatable with total technical impact. Fixed in version 2.2.0 via commit a3b2b82b84.