CVE-2024-1646

CVSS V2 None CVSS V3 None

Description

parisneo/lollms-webui is vulnerable to authentication bypass due to insufficient protection over sensitive endpoints. The application checks if the host parameter is not '0.0.0.0' to restrict access, which is inadequate when the application is bound to a specific interface, allowing unauthorized access to endpoints such as '/restart_program', '/update_software', '/check_update', '/start_recording', and '/stop_recording'. This vulnerability can lead to denial of service, unauthorized disabling or overriding of recordings, and potentially other impacts if certain features are enabled in the configuration.

Overview

CVE ID
CVE-2024-1646

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-04-16T00:00:14.201Z

Last Modified Date
2024-06-04T17:59:30.637Z

Weakness Enumerations

CWE	URL
CWE-288	http://cwe.mitre.org/data/definitions/288.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/2f769c46-aa85-4ab8-8b08-fe791313b7ba
https://github.com/parisneo/lollms-webui/commit/02e829b5653a1aa5dbbe9413ec84f96caa1274e8

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-1646
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1646

History

Created	Old Value	New Value	Data Type	Notes
2024-06-26 06:24:59				Added to TrackCVE