CVE-2024-5125

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-5125
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-5125.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-5125
Published
2024-11-14T18:15:26Z
Modified
2024-11-15T18:52:41.496508Z
Summary
[none]
Details

parisneo/lollms-webui version 9.6 is vulnerable to Cross-Site Scripting (XSS) and Open Redirect due to inadequate input validation and processing of SVG files during the upload process. The XSS vulnerability allows attackers to embed malicious JavaScript code within SVG files, which is executed upon rendering, leading to potential credential theft and unauthorized data access. The Open Redirect vulnerability arises from insufficient URL validation within SVG files, enabling attackers to redirect users to malicious websites, thereby exposing them to phishing attacks, malware distribution, and reputation damage. These vulnerabilities are present in the application's functionality to send files to the AI module.

References

Affected packages

Git / github.com/parisneo/lollms-webui

Affected ranges

Type
GIT
Repo
https://github.com/parisneo/lollms-webui
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v0.*

v0.0.1
v0.0.2
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.9

v3.*

v3.0
v3.5

v4.*

v4.0

v5.*

v5.0

v6.*

v6.0
v6.5
v6.5.0
v6.5rc2
v6.7

v7.*

v7.0

v8.*

v8.0
v8.5

v9.*

v9.0
v9.1
v9.2
v9.3
v9.4
v9.5
v9.6
v9.8