CVE Vulnerabilities

CVE-2024-6040

Missing Critical Step in Authentication

Published: Aug 01, 2024 | Modified: Jul 07, 2025
CVSS 3.x
8.8
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu

In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings are susceptible to CSRF attacks and local attacks. An attacker can exploit this vulnerability to perform unauthorized actions on the victims machine.

Weakness

The product implements an authentication technique, but it skips a step that weakens the technique.

Affected Software

Name Vendor Start Version End Version
Lollms_web_ui Lollms 9.8 (including) 9.8 (including)

References