Lollms
by Lollms
Source repositories
CVEs (75)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-6673 | 0.00 | — | 0.00 | Oct 29, 2024 | A Cross-Site Request Forgery (CSRF) vulnerability exists in the `install_comfyui` endpoint of the `lollms_comfyui.py` file in the parisneo/lollms-webui repository, versions v9.9 to the latest. The endpoint uses the GET method without requiring a client ID, allowing an attacker… | |||
| CVE-2024-6674 | 0.00 | — | 0.00 | Oct 29, 2024 | A CORS misconfiguration in parisneo/lollms-webui prior to version 10 allows attackers to steal sensitive information such as logs, browser sessions, and settings containing private API keys from other services. This vulnerability can also enable attackers to perform actions on… | |||
| CVE-2024-6959 | 0.00 | — | 0.00 | Oct 13, 2024 | A vulnerability in parisneo/lollms-webui version 9.8 allows for a Denial of Service (DOS) attack when uploading an audio file. If an attacker appends a large number of characters to the end of a multipart boundary, the system will continuously process each character, rendering… | |||
| CVE-2024-6394 | 0.00 | — | 0.01 | Sep 30, 2024 | A Local File Inclusion vulnerability exists in parisneo/lollms-webui versions below v9.8. The vulnerability is due to unverified path concatenation in the `serve_js` function in `app.py`, which allows attackers to perform path traversal attacks. This can lead to unauthorized… | |||
| CVE-2024-6040 | 0.00 | — | 0.00 | Aug 1, 2024 | In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding,… | |||
| CVE-2024-4897 | 0.00 | — | 0.00 | Jul 2, 2024 | parisneo/lollms-webui, in its latest version, is vulnerable to remote code execution due to an insecure dependency on llama-cpp-python version llama_cpp_python-0.2.61+cpuavx2-cp311-cp311-manylinux_2_31_x86_64. The vulnerability arises from the application's 'binding_zoo'… | |||
| CVE-2024-5933 | 0.00 | — | 0.00 | Jun 27, 2024 | A Cross-site Scripting (XSS) vulnerability exists in the chat functionality of parisneo/lollms-webui in the latest version. This vulnerability allows an attacker to inject malicious scripts via chat messages, which are then executed in the context of the user's browser. | |||
| CVE-2024-4498 | 0.00 | — | 0.00 | Jun 25, 2024 | A Path Traversal and Remote File Inclusion (RFI) vulnerability exists in the parisneo/lollms-webui application, affecting versions v9.7 to the latest. The vulnerability arises from insufficient input validation in the `/apply_settings` function, allowing an attacker to… | |||
| CVE-2024-4839 | 0.00 | — | 0.00 | Jun 24, 2024 | A Cross-Site Request Forgery (CSRF) vulnerability exists in the 'Servers Configurations' function of the parisneo/lollms-webui, versions 9.6 to the latest. The affected functions include Elastic search Service (under construction), XTTS service, Petals service, vLLM service, and… | |||
| CVE-2024-4499 | 0.00 | — | 0.00 | Jun 24, 2024 | A Cross-Site Request Forgery (CSRF) vulnerability exists in the XTTS server of parisneo/lollms version 9.6 due to a lax CORS policy. The vulnerability allows attackers to perform unauthorized actions by tricking a user into visiting a malicious webpage, which can then trigger… | |||
| CVE-2024-4403 | 0.00 | — | 0.00 | Jun 10, 2024 | A Cross-Site Request Forgery (CSRF) vulnerability exists in the restart_program function of the parisneo/lollms-webui v9.6. This vulnerability allows attackers to trick users into performing unintended actions, such as resetting the program without their knowledge, by sending… | |||
| CVE-2024-4328 | 0.00 | — | 0.00 | Jun 10, 2024 | A Cross-Site Request Forgery (CSRF) vulnerability exists in the clear_personality_files_list function of the parisneo/lollms-webui v9.6. The vulnerability arises from the use of a GET request to clear personality files list, which lacks proper CSRF protection. This flaw allows… | |||
| CVE-2024-2359 | 0.00 | — | 0.01 | Jun 6, 2024 | A vulnerability in the parisneo/lollms-webui version 9.3 allows attackers to bypass intended access restrictions and execute arbitrary code. The issue arises from the application's handling of the `/execute_code` endpoint, which is intended to be blocked from external access by… | |||
| CVE-2024-2360 | 0.00 | — | 0.02 | Jun 6, 2024 | parisneo/lollms-webui is vulnerable to path traversal attacks that can lead to remote code execution due to insufficient sanitization of user-supplied input in the 'Database path' and 'PDF LaTeX path' settings. An attacker can exploit this vulnerability by manipulating these… | |||
| CVE-2024-3322 | 0.00 | — | 0.01 | Jun 6, 2024 | A path traversal vulnerability exists in the 'cyber_security/codeguard' native personality of the parisneo/lollms-webui, affecting versions up to 9.5. The vulnerability arises from the improper limitation of a pathname to a restricted directory in the 'process_folder' function… | |||
| CVE-2024-2288 | 0.00 | — | 0.00 | Jun 6, 2024 | A Cross-Site Request Forgery (CSRF) vulnerability exists in the profile picture upload functionality of the Lollms application, specifically in the parisneo/lollms-webui repository, affecting versions up to 7.3.0. This vulnerability allows attackers to change a victim's profile… | |||
| CVE-2024-2624 | 0.00 | — | 0.01 | Jun 6, 2024 | A path traversal and arbitrary file upload vulnerability exists in the parisneo/lollms-webui application, specifically within the `@router.get("/switch_personal_path")` endpoint in `./lollms-webui/lollms_core/lollms/server/endpoints/lollms_user.py`. The vulnerability arises due… | |||
| CVE-2024-2548 | 0.00 | — | 0.01 | Jun 6, 2024 | A path traversal vulnerability exists in the parisneo/lollms-webui application, specifically within the `lollms_core/lollms/server/endpoints/lollms_binding_files_server.py` and `lollms_core/lollms/security.py` files. Due to inadequate validation of file paths between Windows and… | |||
| CVE-2024-2362 | 0.00 | — | 0.01 | Jun 6, 2024 | A path traversal vulnerability exists in the parisneo/lollms-webui version 9.3 on the Windows platform. Due to improper validation of file paths between Windows and Linux environments, an attacker can exploit this vulnerability to delete any file on the system. The issue arises… | |||
| CVE-2024-5482 | 0.00 | — | 0.01 | Jun 6, 2024 | A Server-Side Request Forgery (SSRF) vulnerability exists in the 'add_webpage' endpoint of the parisneo/lollms-webui application, affecting the latest version. The vulnerability arises because the application does not adequately validate URLs entered by users, allowing them to… |
- CVE-2024-6673Oct 29, 2024risk 0.00cvss —epss 0.00
A Cross-Site Request Forgery (CSRF) vulnerability exists in the `install_comfyui` endpoint of the `lollms_comfyui.py` file in the parisneo/lollms-webui repository, versions v9.9 to the latest. The endpoint uses the GET method without requiring a client ID, allowing an attacker…
- CVE-2024-6674Oct 29, 2024risk 0.00cvss —epss 0.00
A CORS misconfiguration in parisneo/lollms-webui prior to version 10 allows attackers to steal sensitive information such as logs, browser sessions, and settings containing private API keys from other services. This vulnerability can also enable attackers to perform actions on…
- CVE-2024-6959Oct 13, 2024risk 0.00cvss —epss 0.00
A vulnerability in parisneo/lollms-webui version 9.8 allows for a Denial of Service (DOS) attack when uploading an audio file. If an attacker appends a large number of characters to the end of a multipart boundary, the system will continuously process each character, rendering…
- CVE-2024-6394Sep 30, 2024risk 0.00cvss —epss 0.01
A Local File Inclusion vulnerability exists in parisneo/lollms-webui versions below v9.8. The vulnerability is due to unverified path concatenation in the `serve_js` function in `app.py`, which allows attackers to perform path traversal attacks. This can lead to unauthorized…
- CVE-2024-6040Aug 1, 2024risk 0.00cvss —epss 0.00
In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding,…
- CVE-2024-4897Jul 2, 2024risk 0.00cvss —epss 0.00
parisneo/lollms-webui, in its latest version, is vulnerable to remote code execution due to an insecure dependency on llama-cpp-python version llama_cpp_python-0.2.61+cpuavx2-cp311-cp311-manylinux_2_31_x86_64. The vulnerability arises from the application's 'binding_zoo'…
- CVE-2024-5933Jun 27, 2024risk 0.00cvss —epss 0.00
A Cross-site Scripting (XSS) vulnerability exists in the chat functionality of parisneo/lollms-webui in the latest version. This vulnerability allows an attacker to inject malicious scripts via chat messages, which are then executed in the context of the user's browser.
- CVE-2024-4498Jun 25, 2024risk 0.00cvss —epss 0.00
A Path Traversal and Remote File Inclusion (RFI) vulnerability exists in the parisneo/lollms-webui application, affecting versions v9.7 to the latest. The vulnerability arises from insufficient input validation in the `/apply_settings` function, allowing an attacker to…
- CVE-2024-4839Jun 24, 2024risk 0.00cvss —epss 0.00
A Cross-Site Request Forgery (CSRF) vulnerability exists in the 'Servers Configurations' function of the parisneo/lollms-webui, versions 9.6 to the latest. The affected functions include Elastic search Service (under construction), XTTS service, Petals service, vLLM service, and…
- CVE-2024-4499Jun 24, 2024risk 0.00cvss —epss 0.00
A Cross-Site Request Forgery (CSRF) vulnerability exists in the XTTS server of parisneo/lollms version 9.6 due to a lax CORS policy. The vulnerability allows attackers to perform unauthorized actions by tricking a user into visiting a malicious webpage, which can then trigger…
- CVE-2024-4403Jun 10, 2024risk 0.00cvss —epss 0.00
A Cross-Site Request Forgery (CSRF) vulnerability exists in the restart_program function of the parisneo/lollms-webui v9.6. This vulnerability allows attackers to trick users into performing unintended actions, such as resetting the program without their knowledge, by sending…
- CVE-2024-4328Jun 10, 2024risk 0.00cvss —epss 0.00
A Cross-Site Request Forgery (CSRF) vulnerability exists in the clear_personality_files_list function of the parisneo/lollms-webui v9.6. The vulnerability arises from the use of a GET request to clear personality files list, which lacks proper CSRF protection. This flaw allows…
- CVE-2024-2359Jun 6, 2024risk 0.00cvss —epss 0.01
A vulnerability in the parisneo/lollms-webui version 9.3 allows attackers to bypass intended access restrictions and execute arbitrary code. The issue arises from the application's handling of the `/execute_code` endpoint, which is intended to be blocked from external access by…
- CVE-2024-2360Jun 6, 2024risk 0.00cvss —epss 0.02
parisneo/lollms-webui is vulnerable to path traversal attacks that can lead to remote code execution due to insufficient sanitization of user-supplied input in the 'Database path' and 'PDF LaTeX path' settings. An attacker can exploit this vulnerability by manipulating these…
- CVE-2024-3322Jun 6, 2024risk 0.00cvss —epss 0.01
A path traversal vulnerability exists in the 'cyber_security/codeguard' native personality of the parisneo/lollms-webui, affecting versions up to 9.5. The vulnerability arises from the improper limitation of a pathname to a restricted directory in the 'process_folder' function…
- CVE-2024-2288Jun 6, 2024risk 0.00cvss —epss 0.00
A Cross-Site Request Forgery (CSRF) vulnerability exists in the profile picture upload functionality of the Lollms application, specifically in the parisneo/lollms-webui repository, affecting versions up to 7.3.0. This vulnerability allows attackers to change a victim's profile…
- CVE-2024-2624Jun 6, 2024risk 0.00cvss —epss 0.01
A path traversal and arbitrary file upload vulnerability exists in the parisneo/lollms-webui application, specifically within the `@router.get("/switch_personal_path")` endpoint in `./lollms-webui/lollms_core/lollms/server/endpoints/lollms_user.py`. The vulnerability arises due…
- CVE-2024-2548Jun 6, 2024risk 0.00cvss —epss 0.01
A path traversal vulnerability exists in the parisneo/lollms-webui application, specifically within the `lollms_core/lollms/server/endpoints/lollms_binding_files_server.py` and `lollms_core/lollms/security.py` files. Due to inadequate validation of file paths between Windows and…
- CVE-2024-2362Jun 6, 2024risk 0.00cvss —epss 0.01
A path traversal vulnerability exists in the parisneo/lollms-webui version 9.3 on the Windows platform. Due to improper validation of file paths between Windows and Linux environments, an attacker can exploit this vulnerability to delete any file on the system. The issue arises…
- CVE-2024-5482Jun 6, 2024risk 0.00cvss —epss 0.01
A Server-Side Request Forgery (SSRF) vulnerability exists in the 'add_webpage' endpoint of the parisneo/lollms-webui application, affecting the latest version. The vulnerability arises because the application does not adequately validate URLs entered by users, allowing them to…
Page 3 of 4