Описание
In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings are susceptible to CSRF attacks and local attacks. An attacker can exploit this vulnerability to perform unauthorized actions on the victim's machine.
Ссылки
- ExploitThird Party Advisory
Уязвимые конфигурации
EPSS
4.4 Medium
CVSS3
8.8 High
CVSS3
Дефекты
Связанные уязвимости
In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings are susceptible to CSRF attacks and local attacks. An attacker can exploit this vulnerability to perform unauthorized actions on the victim's machine.
Уязвимость операционной системы Google ChromeOS, связанная с недостаточной проверкой входных данных, позволяющая нарушителю повысить свои привилегии
EPSS
4.4 Medium
CVSS3
8.8 High
CVSS3