CVE-2024-6674

CVSS V2 None CVSS V3 None

Description

A CORS misconfiguration in parisneo/lollms-webui prior to version 10 allows attackers to steal sensitive information such as logs, browser sessions, and settings containing private API keys from other services. This vulnerability can also enable attackers to perform actions on behalf of a user, such as deleting a project or sending a message. The issue impacts the confidentiality and integrity of the information.

Overview

CVE ID
CVE-2024-6674

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-10-29T12:46:44.950Z

Last Modified Date
2024-10-29T13:41:08.667Z

Weakness Enumerations

CWE	URL
CWE-346	http://cwe.mitre.org/data/definitions/346.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/e688f71b-a3a4-4f6d-b48a-837073fa6908
https://github.com/parisneo/lollms-webui/commit/c1bb1ad19752aa7541675b398495eaf98fd589f1

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-6674
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6674

History

Created	Old Value	New Value	Data Type	Notes
2024-10-30 13:32:00				Added to TrackCVE