Количество 2
Количество 2
CVE-2024-7043
An improper access control vulnerability in open-webui/open-webui v0.3.8 allows attackers to view and delete any files. The application does not verify whether the attacker is an administrator, allowing the attacker to directly call the GET /api/v1/files/ interface to retrieve information on all files uploaded by users, which includes the ID values. The attacker can then use the GET /api/v1/files/{file_id} interface to obtain information on any file and the DELETE /api/v1/files/{file_id} interface to delete any file.
GHSA-jrhc-9qg9-4qfq
Open WebUI Allows Arbitrary File Reading and Deletion
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано | |
|---|---|---|---|---|
 | CVE-2024-7043 An improper access control vulnerability in open-webui/open-webui v0.3.8 allows attackers to view and delete any files. The application does not verify whether the attacker is an administrator, allowing the attacker to directly call the GET /api/v1/files/ interface to retrieve information on all files uploaded by users, which includes the ID values. The attacker can then use the GET /api/v1/files/{file_id} interface to obtain information on any file and the DELETE /api/v1/files/{file_id} interface to delete any file. | CVSS3: 8.8 | 0% Низкий | 11 месяцев назад |
| GHSA-jrhc-9qg9-4qfq Open WebUI Allows Arbitrary File Reading and Deletion | CVSS3: 8.1 | 0% Низкий | 11 месяцев назад |
Уязвимостей на страницу