VYPR

Lollms

by Lollms

pypi: lollms

Source repositories

CVEs (75)

  • CVE-2024-6673Oct 29, 2024
    risk 0.00cvss epss 0.00

    A Cross-Site Request Forgery (CSRF) vulnerability exists in the `install_comfyui` endpoint of the `lollms_comfyui.py` file in the parisneo/lollms-webui repository, versions v9.9 to the latest. The endpoint uses the GET method without requiring a client ID, allowing an attacker…

  • CVE-2024-6674Oct 29, 2024
    risk 0.00cvss epss 0.00

    A CORS misconfiguration in parisneo/lollms-webui prior to version 10 allows attackers to steal sensitive information such as logs, browser sessions, and settings containing private API keys from other services. This vulnerability can also enable attackers to perform actions on…

  • CVE-2024-6959Oct 13, 2024
    risk 0.00cvss epss 0.00

    A vulnerability in parisneo/lollms-webui version 9.8 allows for a Denial of Service (DOS) attack when uploading an audio file. If an attacker appends a large number of characters to the end of a multipart boundary, the system will continuously process each character, rendering…

  • CVE-2024-6394Sep 30, 2024
    risk 0.00cvss epss 0.01

    A Local File Inclusion vulnerability exists in parisneo/lollms-webui versions below v9.8. The vulnerability is due to unverified path concatenation in the `serve_js` function in `app.py`, which allows attackers to perform path traversal attacks. This can lead to unauthorized…

  • CVE-2024-6040Aug 1, 2024
    risk 0.00cvss epss 0.00

    In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding,…

  • CVE-2024-4897Jul 2, 2024
    risk 0.00cvss epss 0.00

    parisneo/lollms-webui, in its latest version, is vulnerable to remote code execution due to an insecure dependency on llama-cpp-python version llama_cpp_python-0.2.61+cpuavx2-cp311-cp311-manylinux_2_31_x86_64. The vulnerability arises from the application's 'binding_zoo'…

  • CVE-2024-5933Jun 27, 2024
    risk 0.00cvss epss 0.00

    A Cross-site Scripting (XSS) vulnerability exists in the chat functionality of parisneo/lollms-webui in the latest version. This vulnerability allows an attacker to inject malicious scripts via chat messages, which are then executed in the context of the user's browser.

  • CVE-2024-4498Jun 25, 2024
    risk 0.00cvss epss 0.00

    A Path Traversal and Remote File Inclusion (RFI) vulnerability exists in the parisneo/lollms-webui application, affecting versions v9.7 to the latest. The vulnerability arises from insufficient input validation in the `/apply_settings` function, allowing an attacker to…

  • CVE-2024-4839Jun 24, 2024
    risk 0.00cvss epss 0.00

    A Cross-Site Request Forgery (CSRF) vulnerability exists in the 'Servers Configurations' function of the parisneo/lollms-webui, versions 9.6 to the latest. The affected functions include Elastic search Service (under construction), XTTS service, Petals service, vLLM service, and…

  • CVE-2024-4499Jun 24, 2024
    risk 0.00cvss epss 0.00

    A Cross-Site Request Forgery (CSRF) vulnerability exists in the XTTS server of parisneo/lollms version 9.6 due to a lax CORS policy. The vulnerability allows attackers to perform unauthorized actions by tricking a user into visiting a malicious webpage, which can then trigger…

  • CVE-2024-4403Jun 10, 2024
    risk 0.00cvss epss 0.00

    A Cross-Site Request Forgery (CSRF) vulnerability exists in the restart_program function of the parisneo/lollms-webui v9.6. This vulnerability allows attackers to trick users into performing unintended actions, such as resetting the program without their knowledge, by sending…

  • CVE-2024-4328Jun 10, 2024
    risk 0.00cvss epss 0.00

    A Cross-Site Request Forgery (CSRF) vulnerability exists in the clear_personality_files_list function of the parisneo/lollms-webui v9.6. The vulnerability arises from the use of a GET request to clear personality files list, which lacks proper CSRF protection. This flaw allows…

  • CVE-2024-2359Jun 6, 2024
    risk 0.00cvss epss 0.01

    A vulnerability in the parisneo/lollms-webui version 9.3 allows attackers to bypass intended access restrictions and execute arbitrary code. The issue arises from the application's handling of the `/execute_code` endpoint, which is intended to be blocked from external access by…

  • CVE-2024-2360Jun 6, 2024
    risk 0.00cvss epss 0.02

    parisneo/lollms-webui is vulnerable to path traversal attacks that can lead to remote code execution due to insufficient sanitization of user-supplied input in the 'Database path' and 'PDF LaTeX path' settings. An attacker can exploit this vulnerability by manipulating these…

  • CVE-2024-3322Jun 6, 2024
    risk 0.00cvss epss 0.01

    A path traversal vulnerability exists in the 'cyber_security/codeguard' native personality of the parisneo/lollms-webui, affecting versions up to 9.5. The vulnerability arises from the improper limitation of a pathname to a restricted directory in the 'process_folder' function…

  • CVE-2024-2288Jun 6, 2024
    risk 0.00cvss epss 0.00

    A Cross-Site Request Forgery (CSRF) vulnerability exists in the profile picture upload functionality of the Lollms application, specifically in the parisneo/lollms-webui repository, affecting versions up to 7.3.0. This vulnerability allows attackers to change a victim's profile…

  • CVE-2024-2624Jun 6, 2024
    risk 0.00cvss epss 0.01

    A path traversal and arbitrary file upload vulnerability exists in the parisneo/lollms-webui application, specifically within the `@router.get("/switch_personal_path")` endpoint in `./lollms-webui/lollms_core/lollms/server/endpoints/lollms_user.py`. The vulnerability arises due…

  • CVE-2024-2548Jun 6, 2024
    risk 0.00cvss epss 0.01

    A path traversal vulnerability exists in the parisneo/lollms-webui application, specifically within the `lollms_core/lollms/server/endpoints/lollms_binding_files_server.py` and `lollms_core/lollms/security.py` files. Due to inadequate validation of file paths between Windows and…

  • CVE-2024-2362Jun 6, 2024
    risk 0.00cvss epss 0.01

    A path traversal vulnerability exists in the parisneo/lollms-webui version 9.3 on the Windows platform. Due to improper validation of file paths between Windows and Linux environments, an attacker can exploit this vulnerability to delete any file on the system. The issue arises…

  • CVE-2024-5482Jun 6, 2024
    risk 0.00cvss epss 0.01

    A Server-Side Request Forgery (SSRF) vulnerability exists in the 'add_webpage' endpoint of the parisneo/lollms-webui application, affecting the latest version. The vulnerability arises because the application does not adequately validate URLs entered by users, allowing them to…