CVE-2024-5482

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui version latest

Description A Server-Side Request Forgery (SSRF) vulnerability exists in the "add webpage" endpoint, allowing attackers to input arbitrary URLs, including those targeting internal resources such as localhost or 127.0.0.1. This enables unauthorized requests to internal or external systems, potentially leading to access to sensitive data, service disruption, network integrity compromise, business logic manipulation, and abuse of third-party resources. The issue is critical and requires immediate attention.

Recommendations As a temporary workaround, consider disabling the add webpage endpoint until a patch is available. Restrict access to internal resources such as localhost and 127.0.0.1 to minimize the risk of exploitation. Avoid using the add webpage endpoint with arbitrary URLs until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.