A Cross-Site Request Forgery (CSRF) vulnerability exists in the profile picture upload functionality of the Lollms application, specifically in the parisneo/lollms-webui repository, affecting versions up to 7.3.0. This vulnerability allows attackers to change a victim's profile picture without their consent, potentially leading to a denial of service by overloading the filesystem with files. Additionally, this flaw can be exploited to perform a stored cross-site scripting (XSS) attack, enabling attackers to execute arbitrary JavaScript in the context of the victim's browser session. The issue is resolved in version 9.3.
History

Tue, 15 Oct 2024 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Lollms
Lollms lollms Web Ui
CPEs cpe:2.3:a:lollms:lollms_web_ui:*:*:*:*:*:*:*:*
Vendors & Products Lollms
Lollms lollms Web Ui
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-06-06T18:24:08.214Z

Updated: 2024-08-01T19:11:53.256Z

Reserved: 2024-03-07T16:40:34.866Z

Link: CVE-2024-2288

cve-icon Vulnrichment

Updated: 2024-08-01T19:11:53.256Z

cve-icon NVD

Status : Modified

Published: 2024-06-06T19:15:54.137

Modified: 2024-11-21T09:09:26.250

Link: CVE-2024-2288

cve-icon Redhat

No data.