CVE-2024-1646

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui (affected versions not specified)

Description The issue is related to insufficient protection over sensitive endpoints, allowing for authentication bypass. The application's restriction method, which checks if the host parameter is not '0.0.0.0', is inadequate when the application is bound to a specific interface. This vulnerability can lead to denial of service, unauthorized disabling or overriding of recordings, and potentially other impacts if certain features are enabled in the configuration. Sensitive endpoints include '/restart program', '/update software', '/check update', '/start recording', and '/stop recording'.

Recommendations As a temporary workaround, consider restricting access to the sensitive endpoints '/restart program', '/update software', '/check update', '/start recording', and '/stop recording' to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.