CVE-2024-5125

CVSS V2 None CVSS V3 None

Description

parisneo/lollms-webui version 9.6 is vulnerable to Cross-Site Scripting (XSS) and Open Redirect due to inadequate input validation and processing of SVG files during the upload process. The XSS vulnerability allows attackers to embed malicious JavaScript code within SVG files, which is executed upon rendering, leading to potential credential theft and unauthorized data access. The Open Redirect vulnerability arises from insufficient URL validation within SVG files, enabling attackers to redirect users to malicious websites, thereby exposing them to phishing attacks, malware distribution, and reputation damage. These vulnerabilities are present in the application's functionality to send files to the AI module.

Overview

CVE ID
CVE-2024-5125

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-11-14T17:36:04.963Z

Last Modified Date
2024-11-14T17:36:04.963Z

Weakness Enumerations

CWE	URL
CWE-434	http://cwe.mitre.org/data/definitions/434.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/e6ae8cfd-9f8b-41df-a0cc-1e7a47416995
https://github.com/parisneo/lollms-webui/commit/9b0f6c4ad1b9a2cd3466dcefaa278df30feed67e

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-5125
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5125

History

Created	Old Value	New Value	Data Type	Notes
2024-11-15 13:21:12				Added to TrackCVE