CVE-2024-5125

HIGH

7.3

Descripcion

parisneo/lollms-webui version 9.6 is vulnerable to Cross-Site Scripting (XSS) and Open Redirect due to inadequate input validation and processing of SVG files during the upload process. The XSS vulnerability allows attackers to embed malicious JavaScript code within SVG files, which is executed upon rendering, leading to potential credential theft and unauthorized data access. The Open Redirect vulnerability arises from insufficient URL validation within SVG files, enabling attackers to redirect users to malicious websites, thereby exposing them to phishing attacks, malware distribution, and reputation damage. These vulnerabilities are present in the application's functionality to send files to the AI module.

Detalles CVE

Puntuacion CVSS v3.17.3

SeveridadHIGH

Vector CVSSCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H

Vector de ataqueLOCAL

ComplejidadLOW

Privilegios requeridosNONE

Interaccion usuarioREQUIRED

Publicado11/14/2024

Ultima modificacion12/23/2025

Fuentenvd

Avistamientos honeypot0

Productos afectados

lollms:lollms-webui

Debilidades (CWE)

CWE-79

Referencias

https://github.com/parisneo/lollms-webui/commit/9b0f6c4ad1b9a2cd3466dcefaa278df30feed67e(security@huntr.dev)

https://huntr.com/bounties/e6ae8cfd-9f8b-41df-a0cc-1e7a47416995(security@huntr.dev)

https://huntr.com/bounties/e6ae8cfd-9f8b-41df-a0cc-1e7a47416995(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.