CVE-2024-1601
- Source
- https://cve.org/CVERecord?id=CVE-2024-1601
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-1601.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-1601
- Published
- 2024-04-16T00:15:09.597Z
- Modified
- 2026-04-10T05:07:48.861453Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
An SQL injection vulnerability exists in the
delete_discussion()function of the parisneo/lollms-webui application, allowing an attacker to delete all discussions and message data. The vulnerability is exploitable via a crafted HTTP POST request to the/delete_discussionendpoint, which internally calls the vulnerabledelete_discussion()function. By sending a specially crafted payload in the 'id' parameter, an attacker can manipulate SQL queries to delete all records from the 'discussion' and 'message' tables. This issue is due to improper neutralization of special elements used in an SQL command. - References
Affected packages
Git / github.com/parisneo/lollms-webui
Affected ranges
- Type
- GIT
- Repo
- https://github.com/parisneo/lollms-webui
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedFixed
- Database specific
{ "versions": [ { "introduced": "0" }, { "last_affected": "9.0" }, { "introduced": "0" }, { "last_affected": "9.1" } ] }