High

lollms-webui

SSRF Vulnerability in add_webpage Endpoint

A Server-Side Request Forgery (SSRF) vulnerability was identified in the `add_webpage` endpoint of the parisneo/lollms-webui application. The vulnerability arises because the endpoint does not validate URLs entered by users, allowing for requests to any specified URL, including internal addresses like `localhost` or `127.0.0.1`. This issue affects the latest version of the software, and as of the report, no fixed version has been announced.

Available publicly on May 30 2024

7.4

CVE:

CVE-2024-5482

CWE:

918:Server-Side Request Forgery (SSRF)

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Credit:

codevigilanteofficial
AssessDetect

Premium

Remediate
Remediation Steps
  • Ensure input validation is implemented for the add_webpage endpoint to restrict URLs to a safe list or pattern.
  • Employ a denylist to block requests to known sensitive or internal IP addresses and domains.
  • Consider implementing server-side request forgery (SSRF) protection mechanisms such as validating URLs against a schema that only allows certain protocols and domains.
  • Regularly update the application and its dependencies to incorporate security patches and improvements.
  • Conduct thorough security testing and code reviews to identify and remediate potential SSRF vulnerabilities.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.