CVE-2024-6040

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui version v9.8

Description The issue is related to the missing client id parameter in lollms binding infos, leading to security vulnerabilities. Specifically, the endpoints "/reload binding", "/install binding", "/reinstall binding", "/unInstall binding", "/set active binding settings", and "/update binding settings" are susceptible to CSRF attacks and local attacks. An attacker can exploit this to perform unauthorized actions on the victim's machine. Additionally, there is a mention of an operating system vulnerability related to insufficient input validation in Google ChromeOS, which can allow an attacker to elevate their privileges.

Recommendations For parisneo/lollms-webui version v9.8, consider disabling the vulnerable endpoints "/reload binding", "/install binding", "/reinstall binding", "/unInstall binding", "/set active binding settings", and "/update binding settings" until a patch is available. As a temporary workaround, restrict access to these endpoints to minimize the risk of exploitation. Avoid using the lollms binding infos without the client id parameter in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.