CVE-2024-6959

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-6959
A vulnerability in parisneo/lollms-webui version 9.8 allows for a Denial of Service (DOS) attack when uploading an audio file. If an attacker appends a large number of characters to the end of a multipart boundary, the system will continuously process each character, rendering lollms-webui inaccessible. This issue is exacerbated by the lack of Cross-Site Request Forgery (CSRF) protection, enabling remote exploitation. The vulnerability leads to service disruption, resource exhaustion, and extended downtime.

7.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://huntr.com/bounties/6394d32e-f35c-418a-95b8-e7254ed0bc8e Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:lollms:lollms_web_ui:9.8:*:*:*:*:*:*:*
History

03 Nov 2024, 17:15

Type Values Removed Values Added
CWE CWE-400

22 Oct 2024, 14:02

Type Values Removed Values Added
First Time Lollms lollms Web Ui
Lollms
CPE cpe:2.3:a:lollms:lollms_web_ui:9.8:*:*:*:*:*:*:*
References () https://huntr.com/bounties/6394d32e-f35c-418a-95b8-e7254ed0bc8e - () https://huntr.com/bounties/6394d32e-f35c-418a-95b8-e7254ed0bc8e - Exploit, Third Party Advisory
CWE CWE-352

15 Oct 2024, 12:57

Type Values Removed Values Added
Summary
  • (es) Una vulnerabilidad en la versión 9.8 de parisneo/lollms-webui permite un ataque de denegación de servicio (DOS) al cargar un archivo de audio. Si un atacante agrega una gran cantidad de caracteres al final de un límite de varias partes, el sistema procesará continuamente cada carácter, lo que hará que lollms-webui sea inaccesible. Este problema se ve agravado por la falta de protección contra Cross-Site Request Forgery (CSRF), lo que permite la explotación remota. La vulnerabilidad provoca la interrupción del servicio, el agotamiento de los recursos y un tiempo de inactividad prolongado.

13 Oct 2024, 13:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-10-13 13:15

Updated : 2024-11-03 17:15

NVD link : CVE-2024-6959

Mitre link : CVE-2024-6959

CVE.ORG link : CVE-2024-6959

JSON object : View

Products Affected

lollms

  • lollms_web_ui
CWE
CWE-352

Cross-Site Request Forgery (CSRF)