| |
Vulnerability CVE-2024-6040
Published: 2024-08-01
| Description: |
In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings are susceptible to CSRF attacks and local attacks. An attacker can exploit this vulnerability to perform unauthorized actions on the victim's machine. |
Type:
CWE-304 (Missing Critical Step in Authentication)
References: |
https://huntr.com/bounties/ac0bbb1d-89aa-42ba-bc48-1b59bd16acc7
|
|
|
Copyright 2024, cxsecurity.com
|
|
|
