CVE-2024-5482

A Server-Side Request Forgery (SSRF) vulnerability exists in the 'add_webpage' endpoint of the parisneo/lollms-webui application, affecting the latest version. The vulnerability arises because the application does not adequately validate URLs entered by users, allowing them to input arbitrary URLs, including those that target internal resources such as 'localhost' or '127.0.0.1'. This flaw enables attackers to make unauthorized requests to internal or external systems, potentially leading to access to sensitive data, service disruption, network integrity compromise, business logic manipulation, and abuse of third-party resources. The issue is critical and requires immediate attention to maintain the application's security and integrity.
References
Link Resource
https://huntr.com/bounties/d97e23e7-172f-4862-a732-86bfc0b7860e Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:lollms:lollms_web_ui:-:*:*:*:*:*:*:*

History

09 Oct 2024, 16:12

Type Values Removed Values Added
CPE cpe:2.3:a:lollms:lollms_web_ui:-:*:*:*:*:*:*:*
First Time Lollms lollms Web Ui
Lollms
References () https://huntr.com/bounties/d97e23e7-172f-4862-a732-86bfc0b7860e - () https://huntr.com/bounties/d97e23e7-172f-4862-a732-86bfc0b7860e - Exploit, Third Party Advisory
CVSS v2 : unknown
v3 : 7.4
v2 : unknown
v3 : 9.8

07 Jun 2024, 14:56

Type Values Removed Values Added
Summary
  • (es) Existe una vulnerabilidad de Server-Side Request Forgery (SSRF) en el endpoint 'add_webpage' de la aplicación parisneo/lollms-webui, que afecta a la última versión. La vulnerabilidad surge porque la aplicación no valida adecuadamente las URL ingresadas por los usuarios, permitiéndoles ingresar URL arbitrarias, incluidas aquellas que apuntan a recursos internos como 'localhost' o '127.0.0.1'. Esta falla permite a los atacantes realizar solicitudes no autorizadas a sistemas internos o externos, lo que potencialmente conduce al acceso a datos confidenciales, interrupción del servicio, compromiso de la integridad de la red, manipulación de la lógica empresarial y abuso de recursos de terceros. El problema es crítico y requiere atención inmediata para mantener la seguridad e integridad de la aplicación.

06 Jun 2024, 18:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-06 18:15

Updated : 2024-10-09 16:12


NVD link : CVE-2024-5482

Mitre link : CVE-2024-5482

CVE.ORG link : CVE-2024-5482


JSON object : View

Products Affected

lollms

  • lollms_web_ui
CWE
CWE-918

Server-Side Request Forgery (SSRF)