CVE-2024-7806

Опубликовано: 20 мар. 2025

Источник: nvd

CVSS3: 8

CVSS3: 8.8

EPSS Низкий

Описание

A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). The application uses cookies with the SameSite attribute set to lax for authentication and lacks CSRF tokens. This allows an attacker to craft a malicious HTML that, when accessed by a victim, can modify the Python code of an existing pipeline and execute arbitrary code with the victim's privileges.

Ссылки

https://huntr.com/bounties/9350a68d-5f33-4b3d-988b-81e778160ab8
Exploit
Third Party Advisory
https://huntr.com/bounties/9350a68d-5f33-4b3d-988b-81e778160ab8
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:openwebui:open_webui:*:*:*:*:*:*:*:*

Версия до 0.3.8 (включая)

EPSS

Процентиль: 73%

0.00747

Низкий

8 High

CVSS3

8.8 High

CVSS3

Дефекты

CWE-352

Связанные уязвимости

GHSA-85jc-8h5p-8vw8

CVSS3: 8

github

11 месяцев назад

Open WebUI Cross-Site Request Forgery (CSRF) Vulnerability

EPSS

Процентиль: 73%

0.00747

Низкий

8 High

CVSS3

8.8 High

CVSS3

Дефекты

CWE-352