CVE-2024-8736

MEDIUM EPSS 13.5%

Published Mar 20, 20251y ago · Modified Jun 17, 20261w ago

6.5 CVSS 3.1

Medium

Published Mar 20, 2025 1y ago

Last Modified Jun 17, 2026 1w ago

Description

A Denial of Service (DoS) vulnerability exists in multiple file upload endpoints of parisneo/lollms-webui version V12 (Strawberry). The vulnerability can be exploited remotely via Cross-Site Request Forgery (CSRF). Despite CSRF protection preventing file uploads, the application still processes multipart boundaries, leading to resource exhaustion. By appending additional characters to the multipart boundary, an attacker can cause the server to parse each byte of the boundary, ultimately leading to service unavailability. This vulnerability is present in the `/upload_avatar`, `/upload_app`, and `/upload_logo` endpoints.

CVSS Details

Base Score

6.5

Exploitability

2.8

Impact

3.6

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction Required

Scope Unchanged

Confidentiality None

Integrity None

Availability High

Threat Intelligence

EPSS Exploit Probability

13.5% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 1

CWE-352 Cross-Site Request Forgery (CSRF) Authentication

Affected Products 1

Vendor	Product	Version	Range
lollms	lollms_web_ui	12	any

References 1

huntr.com https://huntr.com/bounties/935dbc03-1b43-4dbb-b6cd-1aa95a789d4f

Exploit

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.