exploitDog

CVE-2024-7990

Опубликовано: 20 мар. 2025

Источник: nvd

CVSS3: 8.4

EPSS Низкий

Описание

A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. The vulnerability is present in the /api/v1/models/add endpoint, where the model description field is improperly sanitized before being rendered in chat. This allows an attacker to inject malicious scripts that can be executed by any user, including administrators, potentially leading to arbitrary code execution.

Ссылки

https://huntr.com/bounties/2256e336-0f67-449e-a82d-7fc57081a21c
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:openwebui:open_webui:0.3.8:*:*:*:*:*:*:*

EPSS

Процентиль: 37%

0.00158

Низкий

8.4 High

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-gj27-76gq-5v3p

CVSS3: 8.4

github

11 месяцев назад

Open WebUI stored cross-site scripting (XSS) vulnerability

EPSS

Процентиль: 37%

0.00158

Низкий

8.4 High

CVSS3

Дефекты

CWE-79