Описание
In version v0.3.8 of open-webui/open-webui, there is an improper access control vulnerability. On the frontend admin page, administrators are intended to view only the chats of non-admin members. However, by modifying the user_id parameter, it is possible to view the chats of any administrator, including those of other admin (owner) accounts.
Ссылки
- ExploitThird Party Advisory
Уязвимые конфигурации
Конфигурация 1
cpe:2.3:a:openwebui:open_webui:0.3.8:*:*:*:*:*:*:*
EPSS
Процентиль: 29%
0.00105
Низкий
4.9 Medium
CVSS3
Дефекты
CWE-639
Связанные уязвимости
CVSS3: 4.9
github
11 месяцев назад
In version v0.3.8 of open-webui/open-webui, there is an improper access control vulnerability. On the frontend admin page, administrators are intended to view only the chats of non-admin members. However, by modifying the user_id parameter, it is possible to view the chats of any administrator, including those of other admin (owner) accounts.
EPSS
Процентиль: 29%
0.00105
Низкий
4.9 Medium
CVSS3
Дефекты
CWE-639