CVE-2024-2299

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-2299

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-2299.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-2299

Published

2024-05-14T15:18:47.760Z

Modified

2026-04-10T05:09:15.939641Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

A stored Cross-Site Scripting (XSS) vulnerability exists in the parisneo/lollms-webui application due to improper validation of uploaded files in the profile picture upload functionality. Attackers can exploit this vulnerability by uploading malicious HTML files containing JavaScript code, which is executed when the file is accessed. This vulnerability is remotely exploitable via Cross-Site Request Forgery (CSRF), allowing attackers to perform actions on behalf of authenticated users and potentially leading to unauthorized access to sensitive information within the Lollms-webui application.

References

https://huntr.com/bounties/f1adaac0-b9ed-4093-a0f3-2d0a4ecba398

Affected packages

Git / github.com/parisneo/lollms-webui

Affected ranges

Type

GIT

Repo

https://github.com/parisneo/lollms-webui

Events

Introduced

Fixed

eaa0b2035034d2cefcc536eb7d17a765dae4a6b4

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "9.5"
        }
    ]
}

Affected versions

v0.*

v0.0.1

v0.0.2

v0.0.3

v0.0.5

v0.0.6

v0.0.7

v0.0.8

v0.0.9

v3.*

v3.0

v3.5

v4.*

v4.0

v5.*

v5.0

v6.*

v6.0

v6.5

v6.5.0

v6.5rc2

v6.7

v7.*

v7.0

v8.*

v8.5

v9.*

v9.0

v9.1

v9.2

v9.3

v9.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-2299.json"