CVE-2024-5125

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui version 9.6

Description The issue arises from inadequate input validation and processing of SVG files during the upload process, leading to Cross-Site Scripting (XSS) and Open Redirect vulnerabilities. The XSS vulnerability allows attackers to embed malicious JavaScript code within SVG files, which is executed upon rendering, potentially leading to credential theft and unauthorized data access. The Open Redirect vulnerability enables attackers to redirect users to malicious websites, exposing them to phishing attacks, malware distribution, and reputation damage. These vulnerabilities are present in the application's functionality to send files to the AI module.

Recommendations For parisneo/lollms-webui version 9.6, consider disabling the SVG file upload feature until a patch is available to prevent exploitation of the XSS and Open Redirect vulnerabilities. Restrict access to the AI module to minimize the risk of unauthorized data access and credential theft. Avoid using the application's file upload functionality for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.