CVE-2024-6581

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-6581

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-6581.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-6581

Aliases

Withdrawn

2025-07-24T18:59:46.434187Z

Published

2024-10-29T13:15:07Z

Modified

2024-11-01T22:27:11.931826Z

Severity

9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A vulnerability in the discussion image upload function of the Lollms application, version v9.9, allows for the uploading of SVG files. Due to incomplete filtering in the sanitizesvg function, this can lead to cross-site scripting (XSS) vulnerabilities, which in turn pose a risk of remote code execution. The sanitizesvg function only removes script elements and 'on*' event attributes, but does not account for other potential vectors for XSS within SVG files. This vulnerability can be exploited when authorized users access a malicious URL containing the crafted SVG file.

References

Affected packages

Git / github.com/parisneo/lollms

Affected ranges

Type: GIT
Repo: https://github.com/parisneo/lollms
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

328b960a0de2097e13654ac752253e9541521ddd

Affected versions

v5.*

v5.9.0

v5.9.1