CVE-2024-5125

Published Nov 14, 2024

Last updated 2 days ago

CVSS high 7.3

Overview

Description
parisneo/lollms-webui version 9.6 is vulnerable to Cross-Site Scripting (XSS) and Open Redirect due to inadequate input validation and processing of SVG files during the upload process. The XSS vulnerability allows attackers to embed malicious JavaScript code within SVG files, which is executed upon rendering, leading to potential credential theft and unauthorized data access. The Open Redirect vulnerability arises from insufficient URL validation within SVG files, enabling attackers to redirect users to malicious websites, thereby exposing them to phishing attacks, malware distribution, and reputation damage. These vulnerabilities are present in the application's functionality to send files to the AI module.
Source
security@huntr.dev
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.3
Impact score
5.5
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H
Severity
HIGH

CVSS 3.0

Type
Secondary
Base score
7.3
Impact score
5.5
Exploitability score
1.8
Vector string
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H
Severity
HIGH

Weaknesses

security@huntr.dev
CWE-434

Social media

Hype score
Not currently trending

  1. CVE-2024-5125 parisneo/lollms-webui version 9.6 is vulnerable to Cross-Site Scripting (XSS) and Open Redirect due to inadequate input validation and processing of SVG files during th… https://t.co/W460C5efbx

    @CVEnew

    14 Nov 2024

    249 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References