We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-2288

CSRF File Upload Vulnerability in parisneo/lollms-webui



Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in the profile picture upload functionality of the Lollms application, specifically in the parisneo/lollms-webui repository, affecting versions up to 7.3.0. This vulnerability allows attackers to change a victim's profile picture without their consent, potentially leading to a denial of service by overloading the filesystem with files. Additionally, this flaw can be exploited to perform a stored cross-site scripting (XSS) attack, enabling attackers to execute arbitrary JavaScript in the context of the victim's browser session. The issue is resolved in version 9.3.

Reserved 2024-03-07 | Published 2024-06-06 | Updated 2024-08-01 | Assigner @huntr_ai


HIGH: 8.3CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H

Problem types

CWE-352 Cross-Site Request Forgery (CSRF)

Product status

Any version before 9.3
affected

References

huntr.com/bounties/2a37ae0c-890a-401a-8f3c-a261f3006290

github.com/...ommit/ed085e6effab2b1e25ba2b00366a16ff67d8551b

cve.org (CVE-2024-2288)

nvd.nist.gov (CVE-2024-2288)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2024-2288

Support options

Helpdesk Chat, Email, Knowledgebase