CVE-2024-6674

HIGH EPSS 15.2%
Published Oct 29, 20241y ago · Modified Jun 17, 20261w ago
7.1 CVSS 3.1
High
Find Similar
Published Oct 29, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

A CORS misconfiguration in parisneo/lollms-webui prior to version 10 allows attackers to steal sensitive information such as logs, browser sessions, and settings containing private API keys from other services. This vulnerability can also enable attackers to perform actions on behalf of a user, such as deleting a project or sending a message. The issue impacts the confidentiality and integrity of the information.

CVSS Details

Base Score
7.1
Exploitability
2.8
Impact
4.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
15.2% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-346

Affected Products 1

VendorProductVersionRange
lollmslollms_web_ui* <10

References 2

  • github.com https://github.com/parisneo/lollms-webui/commit/c1bb1ad19752aa7541675b398495eaf98fd589f1
    Patch
  • huntr.com https://huntr.com/bounties/e688f71b-a3a4-4f6d-b48a-837073fa6908
    ExploitThird Party Advisory

Remediation

  • github.com https://github.com/parisneo/lollms-webui/commit/c1bb1ad19752aa7541675b398495eaf98fd589f1
    Patch