CVE-2024-2288

Name of the Vulnerable Software and Affected Versions Lollms versions up to 7.3.0

Description A Cross-Site Request Forgery (CSRF) vulnerability exists in the profile picture upload functionality of the Lollms application. This vulnerability allows attackers to change a victim's profile picture without their consent, potentially leading to a denial of service by overloading the filesystem with files. Additionally, this flaw can be exploited to perform a stored cross-site scripting (XSS) attack, enabling attackers to execute arbitrary JavaScript in the context of the victim's browser session.

Recommendations For versions up to 7.3.0, update to version 9.3 or higher to resolve the issue. As a temporary workaround, consider disabling the profile picture upload functionality until a patch is available. Restrict access to the profile picture upload feature to minimize the risk of exploitation.