Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-5482— SSRF in add_webpage endpoint in parisneo/lollms-webui

EPSS 0.34% · P57
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2024-5482

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
SSRF in add_webpage endpoint in parisneo/lollms-webui
Source: NVD (National Vulnerability Database)
Vulnerability Description
A Server-Side Request Forgery (SSRF) vulnerability exists in the 'add_webpage' endpoint of the parisneo/lollms-webui application, affecting the latest version. The vulnerability arises because the application does not adequately validate URLs entered by users, allowing them to input arbitrary URLs, including those that target internal resources such as 'localhost' or '127.0.0.1'. This flaw enables attackers to make unauthorized requests to internal or external systems, potentially leading to access to sensitive data, service disruption, network integrity compromise, business logic manipulation, and abuse of third-party resources. The issue is critical and requires immediate attention to maintain the application's security and integrity.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
服务端请求伪造(SSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
LoLLMs 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
LoLLMs是Saifeddine ALOUI个人开发者的一个大型语言多模式系统的 Web UI。 LoLLMs 存在代码问题漏洞,该漏洞源于没有充分验证用户输入的 URL,存在服务器端请求伪造(SSRF)漏洞,攻击者能够向内部或外部系统发出未经授权的请求,导致服务中断、网络完整性受损和滥用第三方资源。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
parisneoparisneo/lollms-webui unspecified ~ latest -

II. Public POCs for CVE-2024-5482

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2024-5482

登录查看更多情报信息。

Same Patch Batch · parisneo · 2024-06-06 · 12 CVEs total

CVE-2024-1873Path Traversal and Denial of Service in parisneo/lollms-webui
CVE-2024-2624Path Traversal and Arbitrary File Upload Vulnerability in parisneo/lollms-webui
CVE-2024-2362Path Traversal in parisneo/lollms-webui
CVE-2024-2360Path Traversal leading to Remote Code Execution in parisneo/lollms-webui
CVE-2024-2359Improper Neutralization of Special Elements used in an OS Command in parisneo/lollms-webui
CVE-2024-2548Path Traversal in parisneo/lollms-webui
CVE-2024-2288CSRF File Upload Vulnerability in parisneo/lollms-webui
CVE-2024-3429Path Traversal in parisneo/lollms
CVE-2024-3322Path Traversal in parisneo/lollms-webui
CVE-2024-4881Path Traversal in parisneo/lollms
CVE-2024-4320Remote Code Execution due to LFI in '/install_extension' in parisneo/lollms-webui

IV. Related Vulnerabilities

Same product: parisneo/lollms-webui
Same vendor: parisneo
Same weakness: CWE-918

V. Comments for CVE-2024-5482

No comments yet

Leave a comment