CVE-2024-6581

Name of the Vulnerable Software and Affected Versions Lollms version v9.9

Description A vulnerability in the discussion image upload function allows for the uploading of SVG files, which can lead to cross-site scripting (XSS) vulnerabilities and pose a risk of remote code execution. The sanitize svg function only removes script elements and on* event attributes, but does not account for other potential vectors for XSS within SVG files. This issue can be exploited when authorized users access a malicious URL containing the crafted SVG file.

Recommendations For version v9.9, consider disabling the sanitize svg function or restricting the upload of SVG files until a patch is available. As a temporary workaround, restrict access to the discussion image upload function to minimize the risk of exploitation.