Medium

lollms

Remote Code Execution via Stored XSS in SVG Image Upload

A stored XSS vulnerability in the SVG image upload function of Lollms (version 9.9) allows for remote code execution. This issue was patched in version 9.9.

Available publicly on Oct 08 2024

6.5

CVE:

CVE-2024-6581

CWE:

79:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSS:

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Credit:

virusday
AssessDetect

Premium

Remediate
Remediation Steps
  • Update to version 9.9 or later.
  • Enhance the sanitize_svg function to comprehensively filter out all potential XSS vectors, including entity declarations.
  • Implement additional input validation and output encoding measures.
  • Conduct regular security audits and testing to identify and mitigate similar vulnerabilities.
Patch Details
  • Fixed Version: 9.9
  • Patch Commit: https://github.com/ParisNeo/lollms/commit/328b960a0de2097e13654ac752253e9541521ddd
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.